客户端访问ASP.NET身份验证票证（通过JavaScript） [英] Access ASP.NET authentication ticket on Client (via javascript)

问题描述

我有一个使用Forms身份验证的ASP.NET网站

I have an ASP.NET website that uses Forms authentication

    <authentication mode="Forms">
        <forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" />
    </authentication>

我需要确定，如果用户的网页上验证它呈现给客户端后。
要做到这一点，我以为我可以读的document.cookie 并检查是否.ASPXAUTH是存在的。
但问题是，即使我在这个价值我签的是清除

I need to identify if user is authenticated on web page after it was rendered to client. To accomplish this I thought that I can read document.cookie and check if ".ASPXAUTH" is there. But the problem is that even if I am signed in this value is empty.

我怎么可以检查用户进行身份验证？
为什么的document.cookie是空的？

How can I check that user is authenticated? Why document.cookie is empty?

感谢您的答案。 blowdart 帮助我了解为什么身份验证票是不是来自客户端脚本访问。

Thank you for answers. blowdart helped me to understand why authentication ticket is not accessible from client script.

推荐答案

这是空白的原因是因为cookie被标记为仅Http保护。这意味着它无法通过脚本访问。关闭这个功能是一个非常非常糟糕的主意，因为在你的网站XSS漏洞可能会面临的cookie盗窃，所以我不会告诉你如何做到这一点。

The reason it's blank is because the cookie is protected by being marked as HttpOnly. This means it cannot be accessed via script. Turning this off is a very very bad idea, as XSS vulnerabilities in your site could expose it to cookie theft, so I'm not going to tell you how you can do it.

这篇关于客户端访问ASP.NET身份验证票证（通过JavaScript）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！