【发布时间】:2010-08-10 22:38:54
【问题描述】:
我在登录时有一个 GUI,我创建了一个 cookie 并对其进行了加密。 我正在使用 SSL。
如果 cookie 是安全的,我会检查 Login.aspx 页面,它是安全的。 但是在转到默认页面之前,它会转到 Global.ascx 页面。
在 Application_AuthenticateRequest 中,它获取 cookie 并将其解密为默认页面..
现在我知道它正在获取相同的 cookie,因为所有其他属性都与在 Login.aspx 页面中创建的属性匹配,即安全值为“False”。
这是默认后所有其他页面的情况。 cookie.secure 的值为 false。
请帮助我为什么会发生这种情况,因为我希望所有页面都通过 SSL 保护。
页面也以 https 而不是 http 打开。
这是我的 web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="copiunGUI" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
</forms>
</authentication>
<httpCookies requireSSL="true"/>
<authorization>
<deny users="?"/>
</authorization>
我的 global.aspx 代码
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string redirectSecureUrl = Request.Url.ToString();
new GUIUtility().LogMessageToFile(redirectSecureUrl);
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
try
{
new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure + authCookie.Name + authCookie.Expires + authCookie.Path);
}
catch (Exception)
{
//
}
if (null == authCookie)
{
try
{
new GUIUtility().LogMessageToFile("authCookie = null");
}
catch (Exception)
{
//
}
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[] { '|' });
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
我的 login.aspx 页面中的代码
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version
UserName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
role); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
if (authCookie.Secure)
{
new GUIUtility().LogMessageToFile("The cookie is secure with SSL." + authCookie.Name + authCookie.Expires + authCookie.Path);
}
//authCookie.Secure = FormsAuthentication.RequireSSL;
// Add the cookie to the outgoing cookies collection.
HttpContext.Current.Response.Cookies.Add(authCookie);
// Redirect the user to the originally requested page
string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);
new GUIUtility().LogMessageToFile(goToPath);
//here the value of gotoPath is /Default.aspx
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));
【问题讨论】:
标签: c# asp.net ssl cookies login