.NetCore 身份验证 cookie 在所有请求中都不是持久性的 [Inermittent 问题] [英] .NetCore Authentication cookie not persistent across all request [Inermittent issue]
问题描述
我们有一个提供 sso 身份验证的应用程序.其他三个应用程序从 sso 应用程序获得身份验证.用户登录所有应用程序后,我启动了 sso 注销.sso 应用程序向app1 发送注销请求,然后app1 以SAML 注销响应作为响应.一旦sso 应用程序收到SAML 注销响应,它将向app2 发送注销请求,然后向app3 发送注销请求.有时,整个流程运行良好,有时则不然.我已经看到,当 app2/app3/app1 响应时,sso 应用程序身份验证 cookie 从浏览器中消失,并且该请求对于 sso 应用程序变得未经身份验证,并且用户无法从所有应用程序注销.
认证中间件:
services.AddAuthentication(options =>{options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;}).AddCookie(options =>{options.Cookie.Name = ".federation_user_authentication";options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;options.Cookie.Path = "/";options.Cookie.IsEssential = true;options.ExpireTimeSpan = TimeSpan.FromMinutes(Convert.ToDouble(systemParamsCollection[nameof(JwtTokenVerificationParameterModel.ValidFor)]));options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;if (Convert.ToBoolean(configuration[IsCloudDeployment"])){options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;//Cookie/sso 登录不适用于本地主机.因为它在http上}});您能否告诉我是什么原因以及为什么在应用程序之间重定向 2-3 次后身份验证 cookie 消失了?
原因可能是浏览器 cookie 安全.
如果 cookie 安全配置为 SameSite=Strict,如果调用来自另一个域,浏览器将不会将 cookie 发送到一个域上的服务器.
如果 cookie 安全性是 SameSite=Lax,则 GET 和 POST 调用的处理方式不同.在 GET 调用期间,浏览器会让 cookie 通过.但是在 POST 调用中,如果调用来自另一个域,则浏览器不会将 cookie 发送到一个域上的服务器.
更多信息https://en.wikipedia.org/wiki/HTTP_cookie
We have an application which provides sso authentication. three other applications get authenticated from sso application. Once user get logged into all application, I initiated a sso logout. sso app send logout request to app1 and then app1 respond with SAML logout response.Once sso app received SAML logout response, it will send a logout request to app2 and then app3. Some times this whole flow works fine and sometime not. I have seen that when app2/app3/app1 is responding, sso application authentication cookies got disappeared from browser and that request becomes unautneticated for sso app and user is not able to logout from all applications.
Authentication middleware:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.Cookie.Name = ".federation_user_authentication";
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.Cookie.Path = "/";
options.Cookie.IsEssential = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(
Convert.ToDouble(
systemParamsCollection[nameof(JwtTokenVerificationParameterModel.ValidFor)]));
options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None;
if (Convert.ToBoolean(configuration["IsCloudDeployment"]))
{
options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always; // Cookie/sso login will not work on localhost. because it is on http
}
});
Could you let me know what is reason and why authentication cookie got disappeared after 2-3 times redirection between apps ?
The reason is probably browser cookie security.
If the cookie security is configured with SameSite=Strict a browser will not send a cookie to the server on one domain if the call originates from another domain.
If the cookie security is SameSite=Lax GET and POST calls is treated differently. During GET calls the browser will let the cookies get through. But on POST calls the browser will not send a cookie to the server on one domain if the call originates from another domain.
More info https://en.wikipedia.org/wiki/HTTP_cookie
这篇关于.NetCore 身份验证 cookie 在所有请求中都不是持久性的 [Inermittent 问题]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
