Samesite Cookie和Owin

时间:2020-03-11 11:51:24

标签: .net google-chrome owin samesite

为了与Chrome 80-版本兼容,我们已为OWIN应用程序实施了相同的站点Cookie,并提供了参考 https://docs.microsoft.com/en-us/aspnet/samesite/owin-samesite

我们有:

  1. 将owin升级到4.1
  2. 将.net框架定位到.net 4.7.2

在Chrome V 80 Beta中可以正常工作。但是,在严格模式下(。\ chrome.exe --enable-features = SameSiteDefaultChecksMethodRigorously)。它给出以下错误:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323:RequireNonce为“ [PII隐藏]”。 OpenIdConnectProtocolValidationContext.Nonce为空, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce不为null。的 随机数无法验证。如果您不需要检查随机数,请设置 OpenIdConnectProtocolValidator.RequireNonce为“ false”。注意是否 发现“ nonce”,它将被评估。在 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validateContext) Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validateContext) Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__9.MoveNext(

有人遇到过吗?

1 个答案:

答案 0 :(得分:0)

可能是对此问题的最新答复,但迟到总比没有好:-)

Chrome已更新,并进行了更改,以减轻跨站点请求伪造(CSRF)的影响,出于安全考虑,这些更改将逐步在所有浏览器中实施。 [https://blog.chromium.org/2020/05/resuming-samesite-cookie-changes-in-july.html]

以下修复程序对我有用。

  1. 在webconfig中添加以下代码。

<!-- Add "SameSite=None" to any cookie which does NOT have it yet -->
<!-- currently this only works for secure https cookies -->
<rule name="Add SameSite">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>

<!-Add "Secure" to any cookie which does NOT have it yet, as long as it's HTTPS request or else a secure cookie would just be ignored->
<rule name="Add Secure">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; Secure" />
</rule>

<!--If samesite was set to none by cookieSameSite="None",
remove it for non-https requests (currently only works for https)-->
<rule name="No SameSite For HTTP">
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern="(.);(\s)SameSite=None" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>
  1. 使用[https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1072]
相关问题
最新问题