创建一个子域验证Cookie,则重定向到子失去了在asp.net MVC4饼干 [英] Creating a subdomain Auth cookie then redirecting to subdomain loses the cookie in asp.net MVC4
问题描述
我有我的网站的子域名,用户可以选择列表。我想创建他们只能选择子的auth饼干,并不是所有的子域
假设我的网站是mysite.com这时用户可以看到
I have a list of subdomains on my site that a user can select. I want to create an auth cookie for the subdomain they select only, not all of the subdomains Assuming my site is mysite.com then the user could see
- domainOne.mysite.com
- domainTwo.mysite.com
当他们选择了自己的子域名我也中控制器动作以下
When they've selected their subdomain I do the following in the controller action
var faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
faCookie.HttpOnly = true
faCookie.Domain = (subdomain + ".mysite.com")
faCookie.Secure = FormsAuthentication.RequireSSL
response.Cookies.Add(faCookie)
return this.Redirect("http://" + subdomain + ".mysite.com")
其中encTicket只是一些加密的用户信息
where encTicket is just some encrypted user information
在提琴手我认为这是响应
In fiddler I see this as the response
HTTP/1.1 302 Found
Cache-Control: private, s-maxage=0
Content-Type: text/html; charset=utf-8
Location: http://domainOne.mysite.com
Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
Set-Cookie: .ASPXAUTH=9ECF5B2533<snip>; domain=domainOne.mysite.net; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Fri, 19 Jul 2013 04:19:02 GMT
Content-Length: 142
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://domainOne.mysite.net">here</a>.</h2>
</body></html>
确定这样所有的看起来不错,我在这里。该repsonse告诉浏览器添加一个cookie的子域。
基于所述重定向后续的GET但是不具有该cookie都在它的请求。
ok so all looks good to me here. The repsonse is telling the browser to add a cookie for the subdomain. The subsequent GET based on the redirect however does not have the cookie at all in its request.
有一些挂羊头卖狗肉,我很想念?只是要清楚,我不希望创建根(.mydomain.com来)到cookie,将在所有子域给予认证。
Is there some trickery that I'm missing? Just to be clear I don't want to create a cookie for the root (.mydomain.com) as that would give authentication across all subdomains.
感谢您的帮助。
推荐答案
我有一个好消息和一个坏消息。
I have good news and bad news.
坏消息is--你不能做到这一点。请参见
The bad news is-- you can't do it. See here for an explanation. Essentially your server is setting a cookie for a domain it does not contain, so the cookie is rejected.
is--你的好消息并不无论如何要做到这一点。您的设计违反了 OWASP 2013 A4(不安全和未经验证的直接对象引用)。在这种情况下,你是存储用户的访问权限的cookie域,黑客可以很容易地修改。
The good news is-- you don't want to do this anyway. Your design violates OWASP 2013 A4 (unsecure and unvalidated direct object reference). In this case you are storing user's access permissions as the domain of the cookie, which a hacker can easily modify.
找到一个不同的方式来指定子域访问。有各种方法可以做到这一点。
Find a different way to designate subdomain access. There are all kinds of ways to do this.
下面是pretty接近你的计划的一种方式:
Here is one way that is pretty close to your plan:
在存储cookie值本身的子域。创建一个安全的文档容器,列出该用户被授予访问权限的子域。例如,你可以在子域存储为逗号分隔字符串后面是prevents从列表中篡改恶意用户的HMAC。
Store the subdomain in the cookie value itself. Create a secure document container that lists the subdomains to which the user is granted access. You could for example store the subdomains as a comma-delimited string followed by an HMAC that prevents a malicious user from tampering with the list.
var contents = "subdomain1.domain.com,subdomain2.domain.com";
var bytes = System.Text.Encoding.UTF8.GetBytes(contents);
var hash = System.Web.Security.MachineKey.Encode(bytes,
Web.Security.MachineKeyProtection.Validation);
var cookie = new HttpCookie("MYCOOKIE", contents + "|" + hash);
cookie.domain = "domain.com";
在该子网站接收到一个请求,它会不得不寻找该cookie,检查哈希验证cookie,那么检查的有效载荷,以查看是否应授予访问权限。
When the subdomain site receives a request, it'll have to look for the cookie, check the hash to validate the cookie, then check the payload to see if access should be granted.
var cookie = Request.Cookies["MYCOOKIE'];
var chunks = cookie.Value.Split("|");
var list = chunks[0];
var hash = chunks[1];
var bytes = System.Text.Encoding.UTF8.GetBytes(contents);
var checkHash = System.Web.Security.MachineKey.Encode(bytes,
Web.Security.MachineKeyProtection.Validation);
if (checkHash != hash) throw new System.SecurityException("Someone tampered with the cookie!");
var subdomains = list.split(",");
if (!subdomains.Contains(MY_SUBDOMAIN)) throw new System.SecurityException("Someone is using their cookie to access the wrong domain!");
另一种方法是授予子域列表存储在服务器端的数据库,在列表与令牌相关联,并通过令牌在cookie中。这种方法会有些更安全,因为访问列表是从来没有过线通过。
Another method would be to store the list of granted subdomains in a database on the server side, associate the list with a token, and pass the token in the cookie. This method would be somewhat more secure because the access list is never passed over the wire.
第三种方法是将打造出一个真正的基于SAML的SSO基础设施,而且是那种参与。
A third method would be to build out a real SAML-based SSO infrastructure, but that is sort of involved.
这篇关于创建一个子域验证Cookie,则重定向到子失去了在asp.net MVC4饼干的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
