为什么ASP.NET为域和子域生成相同的cookie密钥? [英] Why did ASP.NET generate the same cookie key for a domain and subdomain?
问题描述
Bug:
我有一个ASP.NET网络应用程序,偶尔为.www.mydomain.com和www.mydomain .com。我试图找出什么默认Cookie域ASP.NET集,以及我如何意外编码的网站有时预先。
当两个Cookie具有相同的密钥并从浏览器发送时,ASP.NET Web应用程序无法区分两者,因为域值不在标头中发送。 (请参阅我的上一个问题)
证据:
我已在网络服务器上启用了W3C日志记录,从客户端发送。下面是日志文件中的一个例子(为简洁起见)。
80 GET /default.aspx page = 200 0 0 - - - - - + MyCookie2 = sessionID = 559ddb9b-0f38-4878-bb07-834c2ca9caae; + MyCookie2 = sessionID = e13d83cd-eac2-46fc-b39d-01826b91cb2c;
可能的因素:
子域启用表单身份验证。
以下是我的web.config设置:
< authentication mode =Forms>
< forms domain =mydomain.comenableCrossAppRedirects =trueloginUrl =/ loginrequireSSL =falsetimeout =5259600/>
< / authentication>
以下是设置自定义Cookie的示例:
HttpCookie cookie1 = new HttpCookie(MyCookie1){HttpOnly = true,Expires = expiration};
logosCookie [email] = user.Email;
logosCookie [keycode] = user.PasswordHash;
logosCookie [version] = currentCookieVersion;
context.Response.Cookies.Remove(cookie1);
context.Response.Cookies.Add(cookie1);
//手动设置FormsAuth cookie,以便我们可以将UserId添加到票证UserData
var userData =UserId =+ user.UserID;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2,user.Email,now,expiration,true,userData);
string str = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,str)
{
HttpOnly = true,
Path = FormsAuthentication.FormsCookiePath,
Secure = FormsAuthentication.RequireSSL,
Expires = ticket.Expiration
};
if(FormsAuthentication.CookieDomain!= null)
{
cookie.Domain = FormsAuthentication.CookieDomain;
}
context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
context.Response.Cookies.Add(cookie1);
这是另一个设置cookie的示例。
var cookie2 = new HttpCookie(MyCookie2);
cookie2 [CookieSessionIdKey] = Guid.NewGuid();
cookie2.Expires = DateTime.Now.AddYears(10);
HttpContext.Current.Response.Cookies.Set(cookie2);
不合意的分辨率:
强制cookie域是一个特定的值,但我想避免显式声明域。我更喜欢使用默认框架行为和更改我的ASP.NET的使用,以避免前面的。
当服务器在响应中没有明确设置域时,浏览器是免费的以分配Cookie域值。我没有想出什么条件导致浏览器设置www.mydomain.comvs.mydomain.com在cookie域上没有提供域,但发生了。
我有一种感觉,是明确将.ASPAUTH cookie域值设置为.mydomain.com以启用跨子域认证,而将其他自定义Cookie域设置为默认值空字符串或)。
我将使用不需要的解决方案,并明确设置所有自定义Cookie的Cookie域,以避免浏览器的问题。 / p>
Bug:
I've got an ASP.NET web application that occasionally sets identical cookie keys for ".www.mydomain.com" and "www.mydomain.com". I'm trying to figure out what default cookie domain ASP.NET sets, and how I accidentally coded the site to sometimes prepend a "." to the cookie domain.
When 2 cookies have the same key and are sent up from the browser, the ASP.NET web application is unable to differentiate between the two because the domain value is not sent in the header. (See my previous question)
Evidence:
I've enabled W3C logging on the web server and verified that both cookies are sent from the client. Here's an example from the log file (paired down for brevity).
80 GET /default.aspx page= 200 0 0 - - - - - +MyCookie2=sessionID=559ddb9b-0f38-4878-bb07-834c2ca9caae;+MyCookie2=sessionID=e13d83cd-eac2-46fc-b39d-01826b91cb2c;
Possible Factor:
I am using subdomain enabled forms authentication.
Here's my web.config settings:
<authentication mode="Forms">
<forms domain="mydomain.com" enableCrossAppRedirects="true" loginUrl="/login" requireSSL="false" timeout="5259600" />
</authentication>
Here's and example of setting custom cookies:
HttpCookie cookie1 = new HttpCookie("MyCookie1") {HttpOnly = true, Expires = expiration};
logosCookie["email"] = user.Email;
logosCookie["keycode"] = user.PasswordHash;
logosCookie["version"] = currentCookieVersion;
context.Response.Cookies.Remove("cookie1");
context.Response.Cookies.Add(cookie1);
// set FormsAuth cookie manually so we can add the UserId to the ticket UserData
var userData = "UserId=" + user.UserID;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, user.Email, now, expiration, true, userData);
string str = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, str)
{
HttpOnly = true,
Path = FormsAuthentication.FormsCookiePath,
Secure = FormsAuthentication.RequireSSL,
Expires = ticket.Expiration
};
if (FormsAuthentication.CookieDomain != null)
{
cookie.Domain = FormsAuthentication.CookieDomain;
}
context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
context.Response.Cookies.Add(cookie1 );
Here's another example of setting a cookie.
var cookie2 = new HttpCookie("MyCookie2");
cookie2[CookieSessionIdKey] = Guid.NewGuid();
cookie2.Expires = DateTime.Now.AddYears(10);
HttpContext.Current.Response.Cookies.Set(cookie2);
Undesirable Resolution:
I can manually force the cookie domain to be a specific value, but I'd like to avoid explicitly declaring the domain. I'd prefer to use the default framework behavior and change my use of ASP.NET to avoid prepend the "." to the cookie domain for custom cookies.
When no domain is explicitly set by the server on the response, the browser is free to assign the cookie domain value. I haven't figured out exactly what conditions result in the browser setting "www.mydomain.com" vs ".mydomain.com" on a cookie domain when no domain is provided on the response, but it happened.
I have a feeling it's a result of explicitly setting the .ASPAUTH cookie domain value to ".mydomain.com" to enable cross subdomain authentication, while leaving other custom cookie domains set to the default (empty string, or "").
I'm going to go with the undesired solution, and explicitly set the cookie domain for all custom cookies to avoid browser quirks.
这篇关于为什么ASP.NET为域和子域生成相同的cookie密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
