I'm just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys to hide them
我只是在两个服务器之间创建一个简单的测试。基本上,如果用户已经过身份验证,我希望能够在应用程序之间传递它们。我改变了键来隐藏它们
I have three questions:
我有三个问题:
- What is the proper way to validate the cookie across domain application. For example, when the user lands at
successpage.aspxwhat should I be checking for? - Is the below code valid for creating a cross domain authentication cookie?
- Do I have my
web.configsetup properly?
跨域应用程序验证cookie的正确方法是什么。例如,当用户登陆successpage.aspx时,我应该检查什么?
以下代码是否对创建跨域身份验证cookie有效?
我的web.config设置是否正确?
My code:
if (authenticated == true)
{
//FormsAuthentication.SetAuthCookie(userName, false);
bool IsPersistent = true;
DateTime expirationDate = new DateTime();
if (IsPersistent)
expirationDate = DateTime.Now.AddYears(1);
else
expirationDate = DateTime.Now.AddMinutes(300);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
userAuthName,
DateTime.Now,
expirationDate,
IsPersistent,
userAuthName,
FormsAuthentication.FormsCookiePath);
string eth = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, eth);
if (IsPersistent)
cookie.Expires = ticket.Expiration;
cookie.Domain = ".myDomain.com";
Response.SetCookie(cookie);
Response.Cookies.Add(cookie);
Response.Redirect("successpage.aspx");
}
My config:
<authentication mode="Forms">
<forms loginUrl="~/Default.aspx" timeout="2880" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<customErrors mode="Off" defaultRedirect="failure.aspx" />
<machineKey decryptionKey="@" validationKey="*" validation="SHA1" decryption="AES"/>
1 个解决方案
#1
4
What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?
跨域应用程序验证cookie的正确方法是什么。例如,当用户登陆successpage.aspx时,我应该检查什么?
There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config
不应该检查任何东西。表单身份验证机制将从cookie检索票证,检查它是否有效。如果不存在或无效,用户将重定向到〜/ Default.aspx。如果您的cookie与web.config的配置相匹配,这将有效
Is the below code valid for creating a cross domain authentication cookie ?
以下代码是否对创建跨域身份验证cookie有效?
I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )
我认为您不应该尝试通过手动处理cookie来覆盖web.config的设置。我认为有更好的方法来处理cookie持久性(请参阅下面的web.config),你只是实现了Forms身份验证API的一部分(例如,为SSL取消了web.config)
- here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
- FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior
在这里,您的手动cookie不是HttpOnly:例如,您可以通过XSS进行cookie盗窃
FormsAuthentication有自己的处理cookie的方法(参见http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx中的TimeOut属性描述)你的cookie持久性机制将是被这种自动行为覆盖
Your code should just be :
你的代码应该只是:
if (authenticated)
{
bool isPersistent = whateverIwant;
FormsAuthentication.SetAuthCookie(userName, isPersistent );
Response.Redirect("successpage.aspx");
}
Do I have my web.config setup properly?
我的web.config设置是否正确?
It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )
域属性应该没问题,只要您想在mydomain.com的直接子域之间共享身份验证(它不适用于xymydomain.com),并且mydomain.com不在公共后缀列表中(http ://publicsuffix.org/list/)
I would change the timeout and slidingExpiration attributes to :
我会将timeout和slidingExpiration属性更改为:
<forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://*.com/a/3748723/1236044 for more info
我想这是处理一年持久性cookie和会话cookie之间选择的好方法。有关详细信息,请参阅https://*.com/a/3748723/1236044
#1
4
What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?
跨域应用程序验证cookie的正确方法是什么。例如,当用户登陆successpage.aspx时,我应该检查什么?
There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config
不应该检查任何东西。表单身份验证机制将从cookie检索票证,检查它是否有效。如果不存在或无效,用户将重定向到〜/ Default.aspx。如果您的cookie与web.config的配置相匹配,这将有效
Is the below code valid for creating a cross domain authentication cookie ?
以下代码是否对创建跨域身份验证cookie有效?
I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )
我认为您不应该尝试通过手动处理cookie来覆盖web.config的设置。我认为有更好的方法来处理cookie持久性(请参阅下面的web.config),你只是实现了Forms身份验证API的一部分(例如,为SSL取消了web.config)
- here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
- FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior
在这里,您的手动cookie不是HttpOnly:例如,您可以通过XSS进行cookie盗窃
FormsAuthentication有自己的处理cookie的方法(参见http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx中的TimeOut属性描述)你的cookie持久性机制将是被这种自动行为覆盖
Your code should just be :
你的代码应该只是:
if (authenticated)
{
bool isPersistent = whateverIwant;
FormsAuthentication.SetAuthCookie(userName, isPersistent );
Response.Redirect("successpage.aspx");
}
Do I have my web.config setup properly?
我的web.config设置是否正确?
It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )
域属性应该没问题,只要您想在mydomain.com的直接子域之间共享身份验证(它不适用于xymydomain.com),并且mydomain.com不在公共后缀列表中(http ://publicsuffix.org/list/)
I would change the timeout and slidingExpiration attributes to :
我会将timeout和slidingExpiration属性更改为:
<forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://*.com/a/3748723/1236044 for more info
我想这是处理一年持久性cookie和会话cookie之间选择的好方法。有关详细信息,请参阅https://*.com/a/3748723/1236044