ASP.NET身份的可变Cookie路径 [英] Variable cookie path with ASP.NET Identity

问题描述

我们将多租户MVC应用程序从ASP.NET成员资格提供程序迁移到ASP.NET身份。

We migrated a multitenant MVC application from ASP.NET Membership Provider to ASP.NET Identity.

这是我的Startup.Auth.cs（简化） p>

This is my Startup.Auth.cs (simplified):

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity =
                    SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, Identity, int>(
                        TimeSpan.FromMinutes(30),
                        (manager, user) =>
                            manager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie),
                        clIdentity => clIdentity.GetUserId<int>())
            }
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

在我们的多租户应用程序中，每个租户都有自己的' a href =http://example.com/tenant1/ =nofollow> http://example.com/tenant1/ 和 http://example.com/tenant2/ ）

但是，目前，Cookie存储在根目录中。这会导致安全问题，因为tenant1的用户会从tenant2自动登录网站。

However, currently, the cookies are stored in the root. This causes security issues as users from tenant1 are automatically logged in on the website from tenant2.

我们如何使CookiePath（CookieAuthenticationOptions）变量，根据租户的不同而有所不同？

推荐答案

http://stackoverflow.com/users/97615/dampee\"> dampee 。

I fixed this issue with a lot of help from dampee.

CookieAuthenticationOptions 对象只计算一次：在应用程序启动时。
最简单的解决方案（解决方法）是创建一个派生的 CookieAuthenticationProvider ，覆盖 ResponseSignIn 和 ResponseSignOut 。
它们都有一个名为 context 的参数，它有一个名为 CookiePath 的属性。在这两种方法中修改此属性以更改CookiePath。
您也可以使用我创建的类<​​/a>。

The CookiePath in the CookieAuthenticationOptions object is evaluated only once: at application startup. The easiest solution (workaround) was to create a derived CookieAuthenticationProvider that overrides ResponseSignIn and ResponseSignOut. They both have an argument called context which has a property called CookiePath. Modify this property in both of these methods to change the CookiePath. You can also use the class I created.

然后，您需要做的就是将 CookieAuthenticationOptions 中的 CookieAuthenticationProvider 替换为您刚刚创建的

Then all you have to do is replace the CookieAuthenticationProvider in the CookieAuthenticationOptions with the one you just created.

这适用于ApplicationCookie。 ExternalSignInCookie并不重要，因为它只是在使用外部登录登录时暂时使用。

This works for the ApplicationCookie. The ExternalSignInCookie doesn't matter that much since it is used only temporarily while signing in with an external login.

这篇关于ASP.NET身份的可变Cookie路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！