我有一个使用ASP.NET Forms身份验证的网站。我最近实现了在用户登录时保存cookie,现在我发现了一个问题。如果问题在此之前持续存在,我不是100%。
重现的步骤是:
所以访问我的网站有或没有(www)变得像访问两个不同的网站。从www.mysite.com注销不会从mysite.com注销。登录相同,反之亦然。
登录页面
Login1_Authenticate Handles Login1.Authenticate
Dim result As Boolean = UserLogin(userName, password)
If (result) Then
e.Authenticated = True
If Login1.RememberMeSet = True Then
SetCookies(userName)
End If
LoginCounter(userName)
Else
e.Authenticated = False
End If
SetCookies()
Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie
tkt = New FormsAuthenticationTicket(1, userName, DateTime.Now(), DateTime.Now.AddDays(7), False, "")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = New HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
ck.Expires = tkt.Expiration
ck.Path = FormsAuthentication.FormsCookiePath()
HttpContext.Current.Request.Cookies.Remove(".ASPXAUTH")
Response.Cookies.Add(ck)
End Sub
母版页上的登录状态控制
LoginStatus1_LoggingOut Handles LoginStatus1.LoggingOut
FormsAuthentication.SignOut()
Session.Clear()
Session.Abandon()
Dim cookie1 As New HttpCookie(FormsAuthentication.FormsCookieName, "")
cookie1.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(cookie1)
Dim cookie2 As New HttpCookie("ASP.NET_SessionId", "")
cookie2.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(cookie2)
的Web.config
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Default.aspx" cookieless="UseCookies" timeout="1440" path="/" protection="All"/>
</authentication>
解决方案: 将此内容放入Global.asax ..
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim fromurl As String = "http://mysite.com"
Dim tourl As String = "http://www.mysite.com"
If HttpContext.Current.Request.Url.ToString().ToLower().Contains(fromurl) Then
HttpContext.Current.Response.Status = "301 Moved Permanently"
HttpContext.Current.Response.AddHeader("Location", tourl)
End If
End Sub
答案 0 :(得分:1)
我会说会话cookie是(子)域特定的。
您需要将所有请求从一个域重定向到另一个域,以强制浏览器仅使用一个会话。