如何使用HTTPHandler记录跨域Intranet流量(包括用户名)?

时间:2022-08-23 10:29:24

I am attempting to log user activity for a couple internal websites as well as our SharePoint sites. I use JavaScript to make a call (GET) to an ashx page (HTTPHandler) that returns a 1x1 invisible GIF. The HTTPHandler grabs the referring URL, browser info, ip address, the action (sent as a QueryString), and (the part I'm strugging with) the username. The username is gathered using context.User.Identity in the HTTPHandler and 'Integrated Windows Authentication' is enabled in IIS 6. Here is the logging portion of the js:

我正在尝试记录几个内部网站以及我们的SharePoint网站的用户活动。我使用JavaScript对ashx页面(HTTPHandler)进行调用(GET),返回1x1不可见的GIF。 HTTPHandler抓取引用URL,浏览器信息,IP地址,动作(作为QueryString发送)和(我正在使用的部分)用户名。使用HTTPHandler中的context.User.Identity收集用户名,并在IIS 6中启用“集成Windows身份验证”。以下是js的日志记录部分:

    logAction: function(action) {
    try {
        var i = new Image(1, 1);
        i.src = "http://intranet/tracker/urchin.ashx?action=" + action;
    } catch (e) {
        //alert(e);
    }

Using jQuery, I added handlers to button clicks, link clicks, and 'unload' that call the ashx file and pass the action performed. (It is also called on page load).

使用jQuery,我为按钮点击,链接点击和“卸载”添加了处理程序,调用ashx文件并传递执行的操作。 (它也在页面加载时调用)。

All of this was working perfectly, or so I thought... It turned out that I was missing the initial page load event the first time the user opened one of the pages if it was not on the same domain as the HTTPHandler. Using Fiddler I could see the NTLM cycle for the page (401.2, 401.1, 200) but only a 401.2 for the ashx. It appears that the browser will not send the user credentials when the call to the HTTPHandler is cross-domain. The next page the user visits gets logged correctly, but that first page is not logged.

所有这一切都很完美,或者我认为......事实证明,如果用户第一次打开其中一个页面,如果它与HTTPHandler不在同一个域中,我就会错过初始页面加载事件。使用Fiddler,我可以看到页面的NTLM循环(401.2,401.1,200),但是对于ashx只能看到401.2。当对HTTPHandler的调用是跨域时,浏览器似乎不会发送用户凭据。正确记录用户访问的下一页,但不记录该第一页。

Here are our domains:

以下是我们的域名:

Is there something wrong with my design, or is this simply web browser security? Thanks!

我的设计有问题,或者这只是网络浏览器的安全性?谢谢!

1 个解决方案

#1


1  

You might want to see this: http://developer.yahoo.com/javascript/howto-proxy.html

您可能希望看到这个:http://developer.yahoo.com/javascript/howto-proxy.html

It may not be spot on about the problem you have (which I can't give you a precise technical answer to right now), but the above link will warn you of the problems/design decisions/security considerations that you must be aware of with what you are trying to achieve. You are right, there is a browser security issue, that much I do know.

关于你所遇到的问题(我现在无法给你一个精确的技术答案)可能不是现场的,但上面的链接会警告你必须注意的问题/设计决策/安全考虑因素与你想要实现的目标。你是对的,有一个浏览器安全问题,我知道的很多。

Also do a google search for cross domain ajax proxy. Some good reading for you there!

也可以谷歌搜索跨域ajax代理。那里有一些很好的阅读!

Good luck!

#1


1  

You might want to see this: http://developer.yahoo.com/javascript/howto-proxy.html

您可能希望看到这个:http://developer.yahoo.com/javascript/howto-proxy.html

It may not be spot on about the problem you have (which I can't give you a precise technical answer to right now), but the above link will warn you of the problems/design decisions/security considerations that you must be aware of with what you are trying to achieve. You are right, there is a browser security issue, that much I do know.

关于你所遇到的问题(我现在无法给你一个精确的技术答案)可能不是现场的,但上面的链接会警告你必须注意的问题/设计决策/安全考虑因素与你想要实现的目标。你是对的,有一个浏览器安全问题,我知道的很多。

Also do a google search for cross domain ajax proxy. Some good reading for you there!

也可以谷歌搜索跨域ajax代理。那里有一些很好的阅读!

Good luck!