有和没有指定域(浏览器不一致)饼干 [英] Cookies with and without the Domain Specified (browser inconsistency)
问题描述
我注意到,有浏览器之间的一些实际不一致的饼干条款。
I've noticed that there are some real inconsistencies between browsers in terms of cookies.
这将是相当长这么裸露的我。
This is going to be rather long so bare with me.
注意:我当使用本地主机已经设置域在我所谓的testdomain.com,这的漏洞的不会工作主机文件
Note: I've setup a domain in my host file called "testdomain.com", this bug WONT work when using "localhost".
注2:我很好奇地想知道这是如何工作在Apache / PHP如果在你,如果它给饼干回按名称检索一个cookie。
Note2: I am curious to know how this works on Apache/PHP if when you retrieve a cookie by name if it gives a collection of cookies back.
维基百科指出:<一href=\"http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path\">http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path
域和路径结果
Cookie域和路径定义的范围
cookie的,他们告诉饼干应只发送回浏览器
服务器对于给定域和路径。 如果没有指定,他们
默认为被请求的对象的域和路径。
因此,如果我们倒推:
So if we push down:
Response.Cookies.Add(new HttpCookie("Banana", "2")
{
});
我们应该得到与该域的cookie使用不同于所述请求的对象的域,在这种情况下,它应该是testdomain.com
We should get a cookie with the domain used being the domain from the requested object, in this case it should be "testdomain.com".
W3在说明书饼干状态:<一href=\"http://www.w3.org/Protocols/rfc2109/rfc2109\">http://www.w3.org/Protocols/rfc2109/rfc2109
W3 states in the specification for cookies: http://www.w3.org/Protocols/rfc2109/rfc2109
域=域名
可选。域属性指定该域名
Cookie是有效的。 显式指定的域必须始终启动
以点。
Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.
因此,如果我们倒推:
So if we push down:
Response.Cookies.Add(new HttpCookie("Banana", "1")
{
Domain = Request.Url.Host
});
我们下推主机名明确地,我们应该得到一个域名上这将是与点pfixed $ P $ cookie中设置,在这种情况下,它应该是.testdomain.com
We pushed down the host-name explicitly, we should get a domain name set on the cookie which would be prefixed with the dot, in this case it should be ".testdomain.com".
报告还指出什么是维基百科上:
It also states what's on Wikipedia:
域默认为请求主机。 (请注意,有没有点在
开始请求主机的。)
Domain Defaults to the request-host. (Note that there is no dot at the beginning of request-host.)
随着我这么远吗?
如果我用第一种方法,定义域:
If I use the first method, defining a Domain:
Response.Cookies.Add(new HttpCookie("Banana", "1")
{
Domain = Request.Url.Host
});
这是结果:
IE9:1的cookie
IE9: 1 cookie
歌剧:1的cookie
Opera: 1 cookie
火狐:1的cookie
Firefox: 1 cookie
铬:1的cookie
Chrome: 1 cookie
正如你可以看到,无论是Opera和IE浏览器都设置明确的域,而无需点preFIX。
As you can see, both Opera and IE both set an EXPLICIT domain without the dot prefix.
Firefox和Chrome浏览器执行设定明确域以一个点preFIX。
Both Firefox and Chrome DO set the EXPLICIT domain with a dot prefix.
如果我用下面的code:
If I use the following code:
Response.Cookies.Add(new HttpCookie("Banana", "2")
{
});
IE /歌剧:两者有相同的结果,域,而无需点preFIX
IE / Opera: Both have the exact same result, the domain WITHOUT the dot prefix.
有趣的是,Firefox和Chrome没有点preFIX都创建的cookie。
Funnily enough, Firefox and Chrome both create cookies WITHOUT the dot prefix.
(我清除所有的cookies,跑到再次code)
(I cleared all cookies and ran the code again)
火狐:
浏览器:
这是它得到有趣。如果我写的又一个像这样的饼干之一:
This is where it gets interesting. If I write the cookies one after another like so:
Response.Cookies.Add(new HttpCookie("Banana", "1")
{
Domain = Request.Url.Host
});
Response.Cookies.Add(new HttpCookie("Banana", "2")
{
});
我个人期待一个cookie中在浏览器中存在的,因为我认为它是基于cookie的名称。
PERSONALLY I would expect one cookie to exist in the browser, because I assume it's based on the cookie name.
这是我所观察到的:
在IE /歌剧,最后一块饼干集是使用的cookie。这是因为Cookie的名称和域名是相同的。
In IE / Opera, the LAST cookie set is the cookie that is used. This is because the Cookie name and Domain name are identical.
如果你明确地定义一个点一个域名,这两个浏览器仍然会看到1的cookie,相同名称的最后一块饼干。
If you explicitly define a domain name with a dot, both browser will still see 1 cookie, the last cookie of the same name.
Chrome和Firefox,另一方面,多看少1饼干:
Chrome and Firefox on the other hand, see more than 1 cookie:
我写了下面的JavaScript来转储值到页面:
I wrote the following JavaScript to dump the values to the page:
<script type="text/javascript">
(function () {
var cookies = document.cookie.split(';');
var output = "";
for (var i = 0; i < cookies.length; i++) {
output += "<li>Name " + cookies[i].split('=')[0];
output += " - Value " + cookies[i].split('=')[1] + "</li>";
}
document.write("<ul>" + output + "</ul>");
})();
</script>
这是结果:
IE - 2饼干设置(浏览器看到1):
IE - 2 cookies set (browser sees 1):
歌剧院 - 2饼干设置(浏览器看到1):
Opera - 2 cookies set (browser sees 1):
火狐 - 2饼干设置和浏览器看到2:
Firefox - 2 cookies set and browser sees 2!:
浏览器 - 2饼干设置和浏览器看到2:
Chrome - 2 cookies set and browser sees 2!:
现在你可能想知道跆拳道这一切。
Now you're probably wondering wtf all this is.
好
- 当您通过名称在C#访问的cookie,它给你1饼干。 (有该名称的第一个cookie)
- 浏览器发送的所有Cookie到服务器
- 浏览器不发送比cookie的键/值以外的任何信息。 (这意味着服务器不关心域)
- 您可以访问同名的两种饼干,如果你通过索引检索它们
问题...
我们不得不改变我们的认证指定cookie中的域时,我们推了下去。
We had to change our Authentication to specify the domain in the cookie when we pushed it down.
这打破了Chrome和Firefox,用户不再能够登录,因为服务器会尝试验证旧的AUTH的cookie。这是因为(从我的理解),它使用的身份验证cookie名称来检索该cookie。
This broke Chrome and Firefox, users were no longer able to login, because the server would try authenticate the old auth cookie. This is because (from my understanding) it uses the Authentication Cookie Name to retrieve the cookie.
即使寿有两个饼干,第一个是检索这恰好是旧人,身份验证失败,用户没有登录,有时候正确的cookie是先在列表中,认证成功...
Even tho there are two cookies, the first one is retrieved which happens to be the old one, authentication fails, user isn't logged in. SOMETIMES the correct cookie is first in the list, and the authentication succeeds...
最初我们推一个cookie的旧域名到期它解决了这个。这个工作在Chrome和Firefox。
Initially we solved this by pushing a cookie with the old domain to expire it. This worked in Chrome and Firefox.
但现在打破了IE浏览器/歌剧,因为这两个浏览器不关心的领域,只有比较基于Cookie的名称。
But it now broke IE/Opera since both browsers don't care about the domain and only compare the cookie based on the name.
我的结论是,在一个cookie的域是时间的完全彻底的浪费。
My conclusion is that the domain on a cookie is a complete utter waste of time.
假设我们必须指定域,我们不能依靠用户清除其浏览器的缓存。我们怎样才能解决这个问题呢?
Assuming that we must specify the domain, and we can't rely on users to clear their browser cache. How can we resolve this problem?
挖掘到.NET如何签署一份用户退出。
Digging into how .NET signs a user out.
if (FormsAuthentication._CookieDomain != null)
{
httpCookie.Domain = FormsAuthentication._CookieDomain;
}
看起来它是完全有可能的窗体身份验证推过期饼干验证,这是完全无关的用户进行身份验证与Cookie。它不使用当前的验证Cookie的域。
It looks like it's entirely possible for the Forms authentication to push an expired Auth cookie, that is entirely unrelated to the cookie the user is authenticated with. It doesn't use the current Auth Cookie's domain.
它不能使用无论如何,因为域名是不推回用cookie的服务器。
Which it can't use anyway, since the domain isn't pushed back to the server with the cookie.
看来FormsAuthentication真的打破。如果您在验证用户的Cookie使用一个明确的域名,等待会话超时,然后刷新页面,生成域中被空这会导致浏览器来分配使用FormsAuthentication结果cookie的方法无点域。
It seems FormsAuthentication is really broken. If you use an explicit domain name on a cookie when you authenticate the user, wait for the session to timeout, then refresh the page, the method of generating the cookie used by FormsAuthentication results in the domain being null which causes the browser to assign a dotless domain.
它要求形式被分配域前面为它被分配到cookie,这打破了多租户系统...
It requires that Forms be assigned a domain up front for it to be assigned to the cookie, this breaks a multi-tenant system...
推荐答案
@ WilliamBZA的建议,帮助解决了最初的问题,但随后导致在cookie中创建一个隐含域cookie signout /会话超时错误使我得出的结论该解决方案是...
@WilliamBZA's suggestion helped solve the initial problem, but then signout/session timeout bug that results in the cookie creating an implicit domain cookie has made me come to the conclusion that the solution is...
不要使用显式cookies在.NET ...曾经的
Don't use Explicit cookies in .NET... ever
有太多的问题,确保他们可以通过正对表格/域,Cookie /域等明确要确保正确的域到处被使用来解决。但是如果你的应用程序承载多个域或者是多租户,那么它只是变得太成问题。
There are far too many problems, sure they can be solved by being explicit on the Form/Domain, Cookie/Domain, etc. To ensure that the correct domain is used everywhere. But if your application hosts multiple domains or is multi tenant, then it just becomes too problematic.
吸取了教训。不要使用明确的饼干。
Lesson is learnt. Don't use explicit cookies.
这篇关于有和没有指定域(浏览器不一致)饼干的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
