没有ASP.NET为什么生成一个域和子域相同的cookie关键? [英] Why did ASP.NET generate the same cookie key for a domain and subdomain?
问题描述
我有一个ASP.NET Web应用程序,偶尔设置相同的Cookie键.www.mydomain.com和www.mydomain.com。我试图找出默认Cookie域ASP.NET设置,以及如何我不小心codeD现场有时prePEND一个。到cookie域。
I've got an ASP.NET web application that occasionally sets identical cookie keys for ".www.mydomain.com" and "www.mydomain.com". I'm trying to figure out what default cookie domain ASP.NET sets, and how I accidentally coded the site to sometimes prepend a "." to the cookie domain.
当2饼干具有相同的密钥,并从浏览器发送时,该ASP.NET web应用程序是无法在两个之间进行区分,因为域值未在标头中发送。 (见我的<一个href=\"http://stackoverflow.com/questions/481230/why-are-request-cookie-poperties-null-or-incorrect-on-asp-net-postback\">$p$pvious问题)
When 2 cookies have the same key and are sent up from the browser, the ASP.NET web application is unable to differentiate between the two because the domain value is not sent in the header. (See my previous question)
我已经启用Web服务器上的W3C日志记录和验证,这两个Cookie是从客户端发送。下面是从日志文件(配对下来简洁)的例子。
I've enabled W3C logging on the web server and verified that both cookies are sent from the client. Here's an example from the log file (paired down for brevity).
80 GET /default.aspx page= 200 0 0 - - - - - +MyCookie2=sessionID=559ddb9b-0f38-4878-bb07-834c2ca9caae;+MyCookie2=sessionID=e13d83cd-eac2-46fc-b39d-01826b91cb2c;
可能的因素:
我使用的子域名启用窗体身份验证。
Possible Factor:
I am using subdomain enabled forms authentication.
下面是我的web.config设置:
Here's my web.config settings:
<authentication mode="Forms">
<forms domain="mydomain.com" enableCrossAppRedirects="true" loginUrl="/login" requireSSL="false" timeout="5259600" />
</authentication>
下面是和示例设置自定义的Cookie:
Here's and example of setting custom cookies:
HttpCookie cookie1 = new HttpCookie("MyCookie1") {HttpOnly = true, Expires = expiration};
logosCookie["email"] = user.Email;
logosCookie["keycode"] = user.PasswordHash;
logosCookie["version"] = currentCookieVersion;
context.Response.Cookies.Remove("cookie1");
context.Response.Cookies.Add(cookie1);
// set FormsAuth cookie manually so we can add the UserId to the ticket UserData
var userData = "UserId=" + user.UserID;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, user.Email, now, expiration, true, userData);
string str = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, str)
{
HttpOnly = true,
Path = FormsAuthentication.FormsCookiePath,
Secure = FormsAuthentication.RequireSSL,
Expires = ticket.Expiration
};
if (FormsAuthentication.CookieDomain != null)
{
cookie.Domain = FormsAuthentication.CookieDomain;
}
context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
context.Response.Cookies.Add(cookie1 );
下面是设置cookie的另一个例子。
Here's another example of setting a cookie.
var cookie2 = new HttpCookie("MyCookie2");
cookie2[CookieSessionIdKey] = Guid.NewGuid();
cookie2.Expires = DateTime.Now.AddYears(10);
HttpContext.Current.Response.Cookies.Set(cookie2);
不良分辨率:
我可以手动强制Cookie域是一个特定的值,但我想避免显式声明的域。我倒是preFER使用缺省框架行为,并改变我的ASP.NET使用,以避免prePEND了。为自定义Cookie的Cookie域。
Undesirable Resolution:
I can manually force the cookie domain to be a specific value, but I'd like to avoid explicitly declaring the domain. I'd prefer to use the default framework behavior and change my use of ASP.NET to avoid prepend the "." to the cookie domain for custom cookies.
推荐答案
在任何域明确的响应服务器设置,浏览器是免费分配的Cookie域值。我还没有想出什么条件导致对时提供的响应没有域的Cookie域的浏览器设置www.mydomain.com与.mydomain.com来,但它发生了。
When no domain is explicitly set by the server on the response, the browser is free to assign the cookie domain value. I haven't figured out exactly what conditions result in the browser setting "www.mydomain.com" vs ".mydomain.com" on a cookie domain when no domain is provided on the response, but it happened.
我有一种感觉它的显式设置.ASPAUTH Cookie域值设置为.mydomain.com来,以支持跨子域的认证,同时使设置为默认(空字符串或)等定义Cookie域的结果
I have a feeling it's a result of explicitly setting the .ASPAUTH cookie domain value to ".mydomain.com" to enable cross subdomain authentication, while leaving other custom cookie domains set to the default (empty string, or "").
我会去与不需要的解决方案,并明确设置cookie域所有自定义的cookie以避免浏览器的怪癖。
I'm going to go with the undesired solution, and explicitly set the cookie domain for all custom cookies to avoid browser quirks.
这篇关于没有ASP.NET为什么生成一个域和子域相同的cookie关键?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
