从另一个域获取发布的数据时,ASP.NET webform 丢失会话 [英] ASP.NET webform loses session when getting posted data from another domain
问题描述
简单地说:
在网站中,用户登录并创建了一些会话对象.
In website A user logs in and creates some session objects.
网站 A 使用 Response.Redirect 将用户重定向到网站 B 中的页面.
Website A redirects user to a page in website B using Response.Redirect.
网站 B 使用提交按钮将表单集合发布到网站 A 上的页面.
Website B POSTs a form collection to a page on website A using a submit button.
在这个特定点上,这个特定用户的所有会话都丢失了,Session_Start 再次触发.
On this specific point all sessions of this specific user are lost and Session_Start fires again.
这对于本地主机和生产域都是一样的.
This is the same for both localhost and production domains.
当两个页面都在同一个域中时,这是可以的,两个不同的域会出现问题.
This is OK when both pages are on the same domain, problem occurs with two separate domains.
在第 3 步中,当使用链接而不是按钮返回网站 A(显然是 wieemsh 完全限定域名)时,一切正常,会话存在.
On step 3 when using a link instead of the button to return to website A (apparently wieemsh fully qualified domain name), everything is ok and sessions exist.
似乎是跨平台提交/POST 问题.
Seems it's a cross platform submit/POST problem.
会话是带有 cookie 的 InProc,不能更改此设置.
Sessions are InProc with cookies, changing this setting is not an option.
感谢您的关注.
附言谷歌搜索这个,我发现从一个页面重定向到另一个页面时存在某种类似的丢失会话"问题.这不是由 response.Redirect 引起的.
P.S. googling this, I found out that there is somehow similar 'losing session' problem when redirecting from one page to another. this is not caused by response.Redirect.
编辑
此问题有可能是由 SameSite Cookie 政策引起的.我在几个条件下进行了几次测试,但我仍然无法确认这一点.
There is a probability that this problem is caused by SameSite Cookie Policy. I ran several tests on several conditions and I cannot still confirm this.
推荐答案
首先这是一个 4.7.1 ASP.NET webform 项目,所以如果你使用 MVC,你只能得到一些线索.
First This was a 4.7.1 ASP.NET webform project, so if you are on MVC you can only get some clue.
正如@JohnPete22 提到的 这篇文章 说 SameSite Cookie 策略(作为一种新的安全措施)适用于 4.7.2 及更高版本,您至少可以控制它打开或关闭,但它没有什么'我要说的是它也会影响 4.7.1 项目,并且无法控制该功能,准确地说,它始终处于开启状态,但 .NET 框架版本无法识别控制命令(我不知道任何 .NET 更新来解决这个问题).这就是为什么回发到单独域上的页面会丢失表单收集数据的原因:为了维护跨域安全.
As @JohnPete22 mentioned This Article says SameSite Cookie Policy (as a new security measure) is for 4.7.2 and above in which you have some control, at least, to turn it ON or OFF, but what it doesn't say is that it also affects 4.7.1 projects as well with no controls over the feature, to be precise, it is always ON but control commands are not recognized by .NET framework version (I'm not aware of any .NET update to solve this). This is why posting back to a page on a separate domain looses form collection data: to maintain cross domain security.
注意:这不是解决方案,而是一种解决方法:
Note: this is not a solution, rather it's a workaround:
将您的项目更新到 4.7.2 以启用 SameSite 模式,这没什么大不了的.
Update your project to 4.7.2 to enable SameSite modes, this is not a big deal.
将此代码添加到 Global.asax Session_Start 事件
Add this code to Global.asax Session_Start event
if (Response.Cookies["ASP.NET_SessionId"] != null)
{
Response.Cookies["ASP.NET_SessionId"].SameSite = SameSiteMode.None;
// Optional - This makes the feature secure
// if (Request.IsSecureConnection)
// Response.Cookies["ASP.NET_SessionId"].Secure = true;
}
我测试了其他选项 SameSiteMode.Strict 和 SameSiteMode.Lax 但没有用,所以我只是关闭了该功能.
I tested other options SameSiteMode.Strict and SameSiteMode.Lax but did not work so I simply turned the feature off.
将此添加到 Web.Config System.Web 部分:
Add this to Web.Config System.Web section:
<sessionState mode="InProc" cookieless="UseCookies" />
为了加强安全性,您可以考虑使用 Request.UrlReferrer?.ToString() 检查源网站并相应地更改 SameSite 模式.
To enforce better security, you may consider checking source website with Request.UrlReferrer?.ToString() and change SameSite mode accordingly.
就是这样,伙计们!
这篇关于从另一个域获取发布的数据时,ASP.NET webform 丢失会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
