单页应用程序丢失身份验证令牌cookie

时间:2015-11-04 16:00:03

标签: asp.net-mvc authentication signalr forms-authentication

提前为下面的文字墙道歉,但我想确保在日志中包含任何可能有用的内容....

我有一个ASP.Net MVC应用程序,其主要接口是使用SignalR的单页应用程序。对于用户来说突然“不工作”的事情偶尔会出现问题 - 根本原因是他们不再经过身份验证。我每分钟都有一个MVC请求让会话保持活动状态,而且SignalR每5分钟也有自己的保持活动状态。它似乎与特定的时间间隔无关,因为大多数时候,用户可以整天打开应用程序而不会出现问题。我在下面的Web服务器上包含了一个带注释的IIS日志示例。为了便于阅读,缩短了身份验证令牌和会话值。请注意,身份验证令牌已多次续订,没有任何问题。然后,突然之间,浏览器不再发送身份验证令牌。

+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+
|       date | time     | cs-method | cs-uri-stem                  | cs-username | cs(Cookie)                          | sc-status | comment                                                                                        |
+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+
| 2015-11-04 | 10:54:30 | GET       | /                            | -           | -                                   |       302 | user requesting page for the first time; redirect to login page                                |
| 2015-11-04 | 10:54:30 | GET       | /Account/Login               | -           | -                                   |       200 | login page GET                                                                                 |
| 2015-11-04 | 10:54:46 | POST      | /Account/Login               | -           |                                     |       302 | login page POST; authenticate and redirect to content page                                     |
| 2015-11-04 | 10:54:46 | GET       | /                            | user123     | .VWRID=AAAA                         |       302 | content page GET; user is logged in                                                            |
| 2015-11-04 | 10:54:46 | GET       | /Account/SelectConfiguration | user123     | .VWRID=AAAA                         |       200 | user doing stuff; no problem                                                                   |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | user doing stuff; no problem                                                                   |
| 2015-11-04 | 10:54:50 | GET       | /signalr/negotiate           | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | SignalR connection                                                                             |
| 2015-11-04 | 10:54:50 | GET       | /signalr/start               | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 10:54:50 | POST      | /signalr/send                | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 10:55:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | keepalive for ASP.Net session; once/min                                                        |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | user doing stuff; no problem                                                                   |
| 2015-11-04 | 10:59:50 | GET       | /signalr/ping                | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | SignalR keepalive; once/5 min                                                                  |
| 2015-11-04 | 11:00:50 | …         | …                            | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:08:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:09:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | renewed ASP.net token sent to client (?)                                                       |
| 2015-11-04 | 11:09:50 | GET       | /signalr/ping                | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 | new ASP.net token sent to server                                                               |
| 2015-11-04 | 11:10:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:11:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 | user doing stuff; no problem                                                                   |
| 2015-11-04 | 11:24:32 | POST      | /signalr/send                | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:24:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=BBBB;+ASP.NET_SessionId=ses1 |       200 | renewed ASP.net token sent to client (?)                                                       |
| 2015-11-04 | 11:24:50 | GET       | /signalr/ping                | user123     | .VWRID=CCCC;+ASP.NET_SessionId=ses1 |       200 | new ASP.net token sent to server                                                               |
| 2015-11-04 | 11:25:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=CCCC;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=CCCC;+ASP.NET_SessionId=ses1 |       200 | user doing stuff; no problem                                                                   |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=CCCC;+ASP.NET_SessionId=ses1 |       200 | same pattern continues, until…                                                                 |
| 2015-11-04 | 11:58:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=EEEE;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:59:50 | POST      | /Home/CheckVersion           | user123     | .VWRID=EEEE;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 11:59:50 | GET       | /signalr/ping                | user123     | .VWRID=EEEE;+ASP.NET_SessionId=ses1 |       200 |                                                                                                |
| 2015-11-04 | 12:00:50 | POST      | /Home/CheckVersion           | -           | -                                   |       302 | NO AUTHENTICATION COOKIE!                                                                      |
| 2015-11-04 | 12:00:50 | GET       | /Account/Login               | -           | -                                   |       200 | JSON request "redirected" but user never notified                                              |
| 2015-11-04 | 12:01:50 | POST      | /Home/CheckVersion           | -           |                                     |       302 |                                                                                                |
| 2015-11-04 | 12:01:50 | GET       | /Account/Login               | -           |                                     |       200 |                                                                                                |
| 2015-11-04 | …        | POST      | /Home/CheckVersion           | -           |                                     |       302 | same pattern…                                                                                  |
| 2015-11-04 | …        | GET       | /Account/Login               | -           |                                     |       200 |                                                                                                |
| 2015-11-04 | 12:04:49 | GET       | /signalr/ping                | -           |                                     |       200 | signalr keepalive returns HTTP 200 (?)…                                                        |
| 2015-11-04 | 12:05:50 | POST      | /Home/CheckVersion           | -           |                                     |       302 |                                                                                                |
| 2015-11-04 | 12:05:50 | GET       | /Account/Login               | -           |                                     |       200 |                                                                                                |
| 2015-11-04 | …        | POST      | /Home/CheckVersion           | -           |                                     |       302 |                                                                                                |
| 2015-11-04 | …        | GET       | /Account/Login               | -           |                                     |       200 |                                                                                                |
| 2015-11-04 | 12:16:43 | POST      | /signalr/send                | -           |                                     |       403 | … but signalr requests fail because they need to be authenticated                              |
| 2015-11-04 | …        | POST      | /signalr/send                | -           |                                     |       403 |                                                                                                |
| 2015-11-04 | 12:43:23 | POST      | /signalr/abort               | -           |                                     |       403 | at some point signalr aborts                                                                   |
| 2015-11-04 | 12:43:23 | GET       | /signalr/connect             | user123     | .VWRID=AAAA;+ASP.NET_SessionId=ses1 |       200 | and reconnects with the ORIGINAL authentication token (?)                                      |
| 2015-11-04 | 12:43:23 | GET       | /                            | -           |                                     |       302 | User realizes there is a problem and refreshed the page, forcing the login process to initiate |
| 2015-11-04 | 12:43:23 | GET       | /Account/Login               | -           |                                     |       200 |                                                                                                |
| 2015-11-04 | 12:43:35 | POST      | /Account/Login               | -           |                                     |       302 |                                                                                                |
| 2015-11-04 | 12:43:35 | GET       | /                            | user123     | .VWRID=FFFF                         |       302 | and we're good again…                                                                          |
| 2015-11-04 | 12:43:36 | GET       | /Account/SelectConfiguration | user123     | .VWRID=FFFF                         |       200 |                                                                                                |
| 2015-11-04 | …        | …         | …                            | user123     | .VWRID=FFFF;+ASP.NET_SessionId=ses2 |       200 |                                                                                                |
| 2015-11-04 | 15:43:02 | POST      | /Home/CheckVersion           | user123     | .VWRID=GGGG;+ASP.NET_SessionId=ses2 |       200 | still going strong nearly 2 hours later.                                                       |
+------------+----------+-----------+------------------------------+-------------+-------------------------------------+-----------+------------------------------------------------------------------------------------------------+

web.config的相关部分:

<system.web>
  <authentication mode="Forms">
    <forms name=".VWRID" loginUrl="~/Account/Login" timeout="30" slidingExpiration="true" protection="All" requireSSL="true" />
  </authentication>
</system.web>

有没有人知道这里会发生什么以及如何解决?

[UPDATE]

在查看日志时,这似乎只会影响IE 10上的用户。在那里使用的SignalR传输机制是 foreverFrame 。我想知道这是否是该传输的SignalR错误。我打算降级那些客户端以使用长轮询并查看问题是否消失。

1 个答案:

答案 0 :(得分:0)

我们删除了SignalR传输的 foreverFrame 选项,问题就消失了。似乎是SignalR中的一个错误。

相关问题
最新问题