如果有人从星巴克登录电脑(例如)并且他们不小心检查了'记住我'选项,从而在该电脑上设置了持久性cookie,是否有任何方法可以从服务器拒绝该cookie而无需改变web.config中的cookie名称?
答案 0 :(得分:0)
我通过在web.config&中设置machineKey解决了这个问题(实际上还有一段时间)。更改用户名/密码时更改它:
Sub ChangeMachineKey()
Dim commandLineArgs As String() = System.Environment.GetCommandLineArgs()
Dim decryptionKey As String = CreateMachineKey(64)
Dim validationKey As String = CreateMachineKey(128)
'HttpContext.Current.Response.Write(decryptionKey + "<br />" + validationKey + "<hr />")
Dim filename As String = HttpContext.Current.Server.MapPath("~/Web.config")
Dim XmlReader As XmlTextReader = New XmlTextReader(filename)
Dim xDoc As XmlDocument = New XmlDocument()
xDoc.Load(XmlReader)
XmlReader.Close()
Dim Node As System.Xml.XmlNode = xDoc.SelectSingleNode("//configuration/system.web/machineKey")
Node.Attributes.GetNamedItem("validationKey").Value = validationKey
Node.Attributes.GetNamedItem("decryptionKey").Value = decryptionKey
xDoc.Save(filename)
End Sub
Public Shared Function CreateMachineKey(ByVal numBytes As Integer) As String
Dim Random As Byte() = New Byte(numBytes / 2 - 1) {}
Dim rng As New RNGCryptoServiceProvider()
rng.GetBytes(Random)
Dim machineKey As New System.Text.StringBuilder(numBytes)
Dim i As Integer = 0
Do While i < Random.Length
machineKey.Append(String.Format("{0:X2}", Random(i)))
i += 1
Loop
Return machineKey.ToString()
End Function
这会强制所有人再次登录,但由于只有一个管理员帐户,因此对我来说非常合适!