太多的 cookie OpenIdConnect.nonce 导致错误页面“Bad Request - Request Too Long" [英] Too many cookies OpenIdConnect.nonce cause error page "Bad Request - Request Too Long"

问题描述

我在 C# ASP MVC Web 应用程序中使用 OWIN/OAuth 和 OpenId Connect 身份验证 (Microsoft.Owin.Security.OpenIdConnect).使用 Microsoft 帐户的 SSO 登录基本上可以工作，但有时我会在浏览器上看到一个错误页面，上面写着 Bad Request - Request Too Long.

I'm using OWIN / OAuth with OpenId Connect authentication (Microsoft.Owin.Security.OpenIdConnect) in a C# ASP MVC web app. The SSO login with Microsoft account basically works, but from time to time I'm getting an error page on the browser that says Bad Request - Request Too Long.

我发现这个错误是由太多的cookies引起的.删除 cookie 有一段时间有帮助，但过了一段时间，问题又回来了.

I found out that this error is caused by too many cookies. Deleting cookies helps for some time, but after a while the problem comes back.

导致问题的 cookie 是从 OpenId 框架设置的，所以有几十个 cookie 的名字像 OpenIdConnect.nonce.9oEtF53WxOi2uAw........

The cookies that cause the problem are set from OpenId framework, so there are dozens of cookies with names like OpenIdConnect.nonce.9oEtF53WxOi2uAw........

这不是 SPA 应用程序，但某些部分会通过 ajax 调用定期刷新.

This is not SPA application, but some parts are refreshed periodically with ajax calls.

推荐答案

原来根本原因是 Ajax 调用.

It turned out that the root cause was the Ajax call.

有问题的流程是

1) OAuth cookie 在一段时间后过期

1) OAuth cookie got expired after some time

2) 到期通常会导致将页面重定向到 login.microsoft.com 以刷新 cookie.在这一步中，OAuth 框架添加新的 nonce cookie 到响应中(每次)！

2) Expiration normally causes redirection the page to login.microsoft.com to refresh the cookie. In this step OAuth framework adds new nonce cookie to the response (every time)!

3) 但是 Ajax 不处理域外的重定向(跨域到 login.microsoft.com).但是 cookie 已经附加到页面上.

3) But Ajax doesn't handle redirections outside of the domain (cross-domain to login.microsoft.com). But the cookie was already appended to the page.

4) 下一个周期性的 Ajax 调用重复了导致nonce"cookie 快速增加的流程.

4) Next periodical Ajax call repeated the flow causing rapid increase of 'nonce' cookies.

解决方案

我不得不扩展OWIN OpenId"框架设置代码以不同方式处理 Ajax 调用 - 以防止重定向并停止发送 cookie.

I had to extend the "OWIN OpenId" framework setup code to handle Ajax calls differently - to prevent redirection and stop sending cookies.

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
    app.UseCookieAuthentication(new CookieAuthenticationOptions());

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = ctx => 
                {
                    bool isAjaxRequest = (ctx.Request.Headers != null && ctx.Request.Headers["X-Requested-With"] == "XMLHttpRequest");

                    if (isAjaxRequest)
                    {
                        ctx.Response.Headers.Remove("Set-Cookie");
                        ctx.State = NotificationResultState.HandledResponse;
                    }

                    return Task.FromResult(0);
                }
            }
        });
}

还必须调整 Ajax 调用方以检测 401 代码并执行整页刷新(这会导致快速重定向到 Microsoft 权限).

The Ajax caller had to be adjusted too to detect 401 code and perform full page refresh (which caused a quick redirect to Microsoft authority).

这篇关于太多的 cookie OpenIdConnect.nonce 导致错误页面“Bad Request - Request Too Long"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！