太多的饼干OpenIdConnect.nonce导致错误页面"错误的请求 - 要求太龙" [英] Too many cookies OpenIdConnect.nonce cause error page "Bad Request - Request Too Long"
问题描述
我使用OWIN / OAuth的使用OpenID身份验证连接( Microsoft.Owin.Security.OpenIdConnect )在C#ASP MVC的Web应用程序。 SSO登录使用Microsoft帐户基本工作,但时不时我上说,浏览器得到一个错误页面错误请求 - 请求太长
I'm using OWIN / OAuth with OpenId Connect authentication (Microsoft.Owin.Security.OpenIdConnect) in a C# ASP MVC web app. The SSO login with Microsoft account basically works, but from time to time I'm getting an error page on the browser that says Bad Request - Request Too Long.
我发现这个错误是由太多的cookie造成的。删除Cookie功能了一段时间,但经过一段时间的问题回来。
I found out that this error is caused by too many cookies. Deleting cookies helps for some time, but after a while the problem comes back.
这是导致问题的cookie是从的OpenID框架的设置,因此有几十饼干像 OpenIdConnect.nonce.9oEtF53WxOi2uAw ....... 名称。
The cookies that cause the problem are set from OpenId framework, so there are dozens of cookies with names like OpenIdConnect.nonce.9oEtF53WxOi2uAw........
这是不是SPA的应用,但有些部分均采用ajax调用定期刷新。
This is not SPA application, but some parts are refreshed periodically with ajax calls.
推荐答案
原来根本原因是Ajax调用。
It turned out that the root cause was the Ajax call.
有问题的流量为
1)OAuth的饼干得到了一段时间后过期
1) OAuth cookie got expired after some time
2)到期通常会导致重定向的页面,以 login.microsoft.com 刷新该cookie。在这个步骤中的OAuth框架的添加新的 现时的cookie(每次)的响应!
2) Expiration normally causes redirection the page to login.microsoft.com to refresh the cookie. In this step OAuth framework adds new nonce cookie to the response (every time)!
3),但阿贾克斯不处理域(交叉域之外的重定向到 login.microsoft.com )。但是,该cookie已经追加到该页面。
3) But Ajax doesn't handle redirections outside of the domain (cross-domain to login.microsoft.com). But the cookie was already appended to the page.
4)接下来定期Ajax调用重复流量造成现时饼干快速增长。
4) Next periodical Ajax call repeated the flow causing rapid increase of 'nonce' cookies.
解决方案
我不得不延长OWIN的OpenID框架设置code来处理Ajax调用不同 - 以prevent重定向和停止发送的cookie。
I had to extend the "OWIN OpenId" framework setup code to handle Ajax calls differently - to prevent redirection and stop sending cookies.
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = ctx =>
{
bool isAjaxRequest = (ctx.Request.Headers != null && ctx.Request.Headers["X-Requested-With"] == "XMLHttpRequest");
if (isAjaxRequest)
{
ctx.Response.Headers.Remove("Set-Cookie");
ctx.State = NotificationResultState.HandledResponse;
}
return Task.FromResult(0);
}
}
});
}
阿贾克斯调用者就一定要过调整,以检测 401 code和执行刷新整个页面(这引起了快速重定向到微软授权)。
The Ajax caller had to be adjusted too to detect 401 code and perform full page refresh (which caused a quick redirect to Microsoft authority).
这篇关于太多的饼干OpenIdConnect.nonce导致错误页面"错误的请求 - 要求太龙"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
