当我登录时,我有一个GUI,我创建一个cookie并加密它。 我是SSL用户。
我检查了Login.aspx页面,如果cookie是安全的,那就是。 但在进入默认页面之前,它会进入Global.ascx页面。
在Application_AuthenticateRequest中,它获取cookie并将其解密为默认页面。
现在我知道它获得了相同的cookie,因为所有其他属性与Login.aspx页面中创建的属性相匹配,除了安全值为“False”。
默认情况下所有其他页面都是这种情况。 cookie.secure的值为false。
请帮助我,为什么会发生这种情况,因为我希望所有页面都是SSL安全的。
此页面的打开方式为https而不是http。
这是我的web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="copiunGUI" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
</forms>
</authentication>
<httpCookies requireSSL="true"/>
<authorization>
<deny users="?"/>
</authorization>
我的global.aspx代码
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string redirectSecureUrl = Request.Url.ToString();
new GUIUtility().LogMessageToFile(redirectSecureUrl);
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
try
{
new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure + authCookie.Name + authCookie.Expires + authCookie.Path);
}
catch (Exception)
{
//
}
if (null == authCookie)
{
try
{
new GUIUtility().LogMessageToFile("authCookie = null");
}
catch (Exception)
{
//
}
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[] { '|' });
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version
UserName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
role); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
if (authCookie.Secure)
{
new GUIUtility().LogMessageToFile("The cookie is secure with SSL." + authCookie.Name + authCookie.Expires + authCookie.Path);
}
//authCookie.Secure = FormsAuthentication.RequireSSL;
// Add the cookie to the outgoing cookies collection.
HttpContext.Current.Response.Cookies.Add(authCookie);
// Redirect the user to the originally requested page
string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);
new GUIUtility().LogMessageToFile(goToPath);
//here the value of gotoPath is /Default.aspx
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));
答案 0 :(得分:1)
我一直想知道这件事。我已经尝试过设置RequireSSL =“true”,但我不断获得新会话,而且我的登录不会超过请求。当我看到试图看到发生了什么的基础时,我意识到cookie只是HTTP请求和响应的一部分,并且似乎没有单独出去。因此,如果我在不安全的页面上,浏览器不会将cookie传输到我的网站。
如果您需要它是安全的,我认为您需要在设置cookie后翻转整个会话以使用https,否则它将不会被传输,并且当IIS / ASP下一次请求时可能会被覆盖.net没有得到它正在寻找的会话cookie(我很确定这就是我不断获得新会话的原因)。