SSL卸载时固定窗体身份验证cookie [英] Securing the Forms Authentication Cookie when offloading SSL

查看:124
本文介绍了SSL卸载时固定窗体身份验证cookie的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我试图以确保一个网站,我使用ASP.NET MVC 2.0和窗体身份验证目前正在开发。为了确保该窗体身份验证cookie我想要的requiresSSL属性设置为true,所以当连接SSL下该cookie只能通过浏览器发送,显然确保那些需要授权的所有资源都在SSL。

我的问题是,我们正在使用应用程序请求路由实现多项功能,其中之一是SSL卸载,因此由请求命中任何Web服务器在我们的农场的时间要求是不再受SSL和FormsAuthentication.SetAuthCookie因为SSL连接指定requiresSSL时设置cookie所需的方法失败。

任何人有任何想法,工作在这里!

感谢


解决方案

所以我对这个周围的工作,但是,如果任何人有任何更好的想法,请随时发表评论。基本上你需要截取的请求结束的响应和手动设置的窗体身份验证Cookie安全性,pretty明显真是的,你还需要在窗体身份验证配置requireSSL属性设置为false。的同时也要记住,我们不希望启用HTTPS,通过验证的用户,因此这项工作围绕整个网站。

有几个注意事项,以这种方式和几件事情要注意。


  1. 我测试的窗体身份验证cookie总是写在响应过程中发现,所以我一直覆盖在浏览器中有效的身份验证Cookie具有空验证cookie,来解决这个问题我列入一些逻辑HTTP模块来解决这个问题,请参见下面code片段。


  2. 所有请求应用程序需要的授权必须在SSL,否则申请将不包含以验证用户身份验证Cookie。


  3. 由于你只有经过你将需要另外一个机制来告诉你的应用程序,当他们浏览网站的非SSL区域中的当前用户进行身份验证SSL请求身份验证cookie,我曾与一个额外的实现了这个其时,在用户登录,并且没有到期日设置,所以在用户会话,当然这个cookie被删除结束时,如果用户注销过期设置的cookie。


下面是一个HTTP模块实现的逻辑来影响上面,我一直在这个测试的最后几个小时,在任何问题都还​​没来,我一定会更新这个职位,如果我做的!

我们只应将验证cookie给客户端,如果用户刚刚登录这里的逻辑


  1. 如果请求有一个auth cookie中的用户已经通过身份验证
    并根据SSL,以便确保我们不会在发送新的身份验证的cookie
    响应。

  2. 如果该请求没有一个auth Cookie,但有一个有效的
    AUTH的cookie的响应,设置响应身份验证cookie来保证,
    所以只能通过SSL下浏览器传输。

  3. 如果该请求没有一个auth饼干和响应有
    无效或空权威性的cookie,确保我们删除了cookie的响应
    所以我们不覆盖客户端浏览器的有效的cookie。

 私人无效EndRequest(对象发件人,EventArgs的发送)
{
    VAR应用程序=(HttpApplication的)寄件人;    如果(ValidRequest(application.Request)及&放大器; application.Response.Cookies.Count大于0)
    {        //只做下方,如果用户不退出该网站,如果用户注销,我们可以
        //保留默认的窗体身份验证的行为是过期的饼干AUTH
        如果(application.Request.Ap prelativeCurrentExecutionFilePath!=〜/认证/注销)
        {
            VAR requestAuthCookie = application.Request.Cookies [FormsAuthentication.FormsCookieName]
            VAR responseAuthCookie = application.Response.Cookies [FormsAuthentication.FormsCookieName]            如果(requestAuthCookie = NULL&放大器;!&安培; responseAuthCookie = NULL&放大器;!&安培; responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
            否则,如果(responseAuthCookie = NULL&放大器;!&安培;!responseAuthCookie.Value.IsNullOrEmpty())
            {
                responseAuthCookie.Secure = TRUE;
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
                application.Response.Cookies.Add(responseAuthCookie);
            }
            否则,如果(responseAuthCookie == NULL || responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
        }
    }
}

I am attempting to secure a website I am currently developing using ASP.NET MVC 2.0 and forms authentication. In order to secure the forms authentication cookie I want to set the requiresSSL property to true so the cookie is only send by browsers when the connection is under SSL, and obviously ensure that all resources which require authorization are under SSL.

My problem is that we are using Application Request Routing to fulfil a number of functions, one being SSL offloading, therefore by the time a request hits any web server in our farm the request is no longer under SSL and the FormsAuthentication.SetAuthCookie method fails because an SSL connection is required to set the cookie when requiresSSL is specified.

Anyone have any ideas as to a work around here!

Thanks

解决方案

So I have a work around for this, however if anyone has any better ideas please feel free to comment. Essentially you need to intercept the response at the end of the request and manually set the Secure property on the forms authentication cookie, pretty obvious really, you will also need to set the requireSSL property in the forms authentication configuration to false. Also bear in mind we do not want to enable HTTPS for the entire site for authenticated users hence this work around.

There are a couple of caveats to this approach and a few things to be aware of.

  1. I found during testing that the forms authentication cookie was always written to in the response, so I kept overwriting the valid authentication cookie in the browser with an empty authentication cookie, to get around this I included some logic in the HTTP module to work around this, see code snippet below.

  2. All requests to the application which require authorization must be under SSL, otherwise the request will not contain the authentication cookie in order to authenticate the user.

  3. Because you are only passing the authentication cookie for SSL requests you will need another mechanism to tell your application that the current user is authenticated when they browse the non SSL areas of the site, I have implemented this with an additional cookie which is set when the user logs in, and does not have an expiry date set, so will expire at the end of the users session, of course this cookie is removed if the user logs out.

Below is the logic implemented in an HTTP Module to affect the above, I have been testing this the last couple of hours and have not come across any problems yet, I will be sure to update this post if I do!

We should only ever send an authentication cookie to the client if the user has just logged in here's the logic

  1. If the request has an auth cookie the user is already authenticated and under SSL so ensure we do not send a new auth cookie in the response.
  2. If the request does not have an auth cookie but there is a valid auth cookie in the response, set the response auth cookie to secure, so it is only transmitted by the browser under SSL.
  3. If the request does not have an auth cookie and the response has an invalid or empty auth cookie, ensure we remove the response cookie so we dont overwrite the valid cookie in the client browser.

private void EndRequest(object sender, EventArgs e)
{
    var application = (HttpApplication)sender;

    if (ValidRequest(application.Request) && application.Response.Cookies.Count > 0)
    {

        //only do the below if the user is not logging out the site, if the user is logging out we can 
        //leave the default forms authentication behaviour which is to expire the auth cookie
        if (application.Request.AppRelativeCurrentExecutionFilePath != "~/authentication/logoff")
        {
            var requestAuthCookie = application.Request.Cookies[FormsAuthentication.FormsCookieName];
            var responseAuthCookie = application.Response.Cookies[FormsAuthentication.FormsCookieName];

            if (requestAuthCookie != null && responseAuthCookie != null && responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
            else if (responseAuthCookie != null && !responseAuthCookie.Value.IsNullOrEmpty())
            {
                responseAuthCookie.Secure = true;
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
                application.Response.Cookies.Add(responseAuthCookie);
            }
            else if (responseAuthCookie == null || responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
        }
    }
}

这篇关于SSL卸载时固定窗体身份验证cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
ASP .NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆