FormsAuthentication.SignOut() 不会注销用户
对此我的头撞得太久了。 如何防止用户在使用 FormsAuthentication.SignOut 注销后浏览网站页面? 我希望这样可以做到:
FormsAuthentication.SignOut();
Session.Abandon();
FormsAuthentication.RedirectToLoginPage();
但事实并非如此。 如果我直接输入 URL,我仍然可以浏览到该页面。 我已经有一段时间没有使用自己的安全性了,所以我忘记了为什么这不起作用。
Smashed my head against this a bit too long. How do I prevent a user from browsing a site's pages after they have been logged out using FormsAuthentication.SignOut? I would expect this to do it:
FormsAuthentication.SignOut();
Session.Abandon();
FormsAuthentication.RedirectToLoginPage();
But it doesn't. If I type in a URL directly, I can still browse to the page. I haven't used roll-your-own security in a while so I forget why this doesn't work.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(23)
用户仍然可以浏览您的网站,因为当您调用
FormsAuthentication.SignOut()时 Cookie 不会被清除,并且它们会在每个新请求时进行身份验证。 MS文档中说cookie将被清除,但他们没有,bug?和
Session.Abandon()一模一样,cookie还在。您应该将代码更改为:
HttpCookie位于System.Web命名空间中。 MSDN 参考。Users can still browse your website because cookies are not cleared when you call
FormsAuthentication.SignOut()and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don't, bug?Its exactly the same with
Session.Abandon(), cookie is still there.You should change your code to this:
HttpCookieis in theSystem.Webnamespace. MSDN Reference.使用 x64igor 和 Phil Haselden 的上述两个帖子解决了这个问题:
1。 x64igor 给出了执行注销的示例:
您首先需要通过在注销响应中传回空 cookie 来清除身份验证 Cookie 和会话 Cookie。
2. Phil Haselden 在上面给出了如何在注销后防止缓存的示例:
您需要通过响应使客户端上的缓存无效。
Using two of the above postings by x64igor and Phil Haselden solved this:
1. x64igor gave the example to do the Logout:
You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout.
2. Phil Haselden gave the example above of how to prevent caching after logout:
You need to Invalidate the Cache on the Client Side via the Response.
在我看来,您没有在 中正确设置 web.config 授权部分。 请参阅下面的示例。
Sounds to me like you don't have your web.config authorization section set up properly within . See below for an example.
这里的关键是你说“如果我直接输入 URL...”。
默认情况下,在表单身份验证下,浏览器会为用户缓存页面。 因此,直接从浏览器地址框下拉列表中选择 URL 或输入 URL,可能会从浏览器的缓存中获取页面,并且永远不会返回到服务器来检查身份验证/授权。 解决方案是在每个页面的 Page_Load 事件或基页的 OnLoad() 中防止客户端缓存:
您可能还想调用:
The key here is that you say "If I type in a URL directly...".
By default under forms authentication the browser caches pages for the user. So, selecting a URL directly from the browsers address box dropdown, or typing it in, MAY get the page from the browser's cache, and never go back to the server to check authentication/authorization. The solution to this is to prevent client-side caching in the Page_Load event of each page, or in the OnLoad() of your base page:
You might also like to call:
我以前也曾为此苦苦挣扎。
这是一个似乎正在发生的事情的类比...新访问者 Joe 来到该网站并使用 FormsAuthentication 通过登录页面登录。 ASP.NET 为 Joe 生成一个新身份,并给他一个 cookie。 那块饼干就像房子的钥匙,只要乔带着那把钥匙回来,他就可以打开锁。 每位访客都会获得一把新钥匙和一把新锁以供使用。
当调用
FormsAuthentication.SignOut()时,系统告诉 Joe 丢失密钥。 通常情况下,这是有效的,因为乔不再拥有钥匙,他无法进入。但是,如果乔回来,并且确实拥有丢失的钥匙,他就会被允许回来!
据我所知,没有办法告诉 ASP.NET 更换门锁!
我可以接受的方法是在会话变量中记住乔的名字。 当他注销时,我放弃了会话,因此我不再有他的名字。 稍后,为了检查他是否被允许进入,我只需将他的 Identity.Name 与当前会话的 Identity.Name 进行比较,如果它们不匹配,则他不是有效的访问者。
简而言之,对于网站,请勿在不检查会话变量的情况下依赖
User.Identity.IsAuthenticated!I've struggled with this before too.
Here's an analogy for what seems to be going on... A new visitor, Joe, comes to the site and logs in via the login page using FormsAuthentication. ASP.NET generates a new identity for Joe, and gives him a cookie. That cookie is like the key to the house, and as long as Joe returns with that key, he can open the lock. Each visitor is given a new key and a new lock to use.
When
FormsAuthentication.SignOut()is called, the system tells Joe to lose the key. Normally, this works, since Joe no longer has the key, he cannot get in.However, if Joe ever comes back, and does have that lost key, he is let back in!
From what I can tell, there is no way to tell ASP.NET to change the lock on the door!
The way I can live with this is to remember Joe's name in a Session variable. When he logs out, I abandon the Session so I don't have his name anymore. Later, to check if he is allowed in, I simply compare his Identity.Name to what the current session has, and if they don't match, he is not a valid visitor.
In short, for a web site, do NOT rely on
User.Identity.IsAuthenticatedwithout also checking your Session variables!经过大量搜索终于这对我有用。 我希望它有帮助。
After lots of search finally this worked for me . I hope it helps.
这对我有用
This works for me
该答案在技术上与 Khosro.Pakmanesh 相同。 我发布它是为了澄清他的答案与该线程上的其他答案有何不同,以及可以在哪些用例中使用它。
一般来说,清除用户会话
会有效地注销用户。 但是,如果在同一个请求中您需要检查
Request.isAuthenticated(例如,在授权过滤器中可能经常发生这种情况),那么您会发现即使您做了
HttpContext.Session.Abandon()和FormsAuthentication.SignOut()。唯一有效的方法是
有效设置
Request.isAuthenticated = false。This Answer is technically identical to Khosro.Pakmanesh. I'm posting it to clarify how his answer differs from other answers on this thread, and in which use case it can be used.
In general to clear a user-session, doing
will effectively log out the user. However, if in the same Request you need to check
Request.isAuthenticated(as may often happen in an Authorization Filter, for example), then you will find thateven _after you did
HttpContext.Session.Abandon()andFormsAuthentication.SignOut().The only thing that worked was doing
That effectively sets
Request.isAuthenticated = false.您发布的代码看起来应该正确删除表单身份验证令牌,因此有问题的文件夹/页面可能实际上并未受到保护。
您是否确认在登录之前无法访问这些页面?
您可以发布您正在使用的 web.config 设置和登录代码吗?
The code you posted looks like it should correctly remove the forms authentication token, so it is possible that the folders/pages in question are not actually protected.
Have you confirmed that the pages cannot be accessed before a login has occured?
Can you post the web.config settings and login code that you are using?
我一直在为我的所有页面编写一个基类,并且遇到了同样的问题。
我有如下代码,但它不起作用。 通过跟踪,控制从 RedirectToLoginPage() 语句传递到下一行,而无需重定向。
我发现有两种解决方案。
要么修改 FormsAuthentication.RedirectToLoginPage(); 或者通过添加来
修改 web.config
在第二种情况下,在跟踪时,控制未到达请求的页面。 在遇到断点之前,它已立即重定向到登录 URL。
因此,SignOut() 方法不是问题,重定向方法才是问题所在。
我希望这可以帮助某人
问候
I have been writing a base class for all of my Pages and I came to the same issue.
I had code like the following and It didn't work. By tracing, control passes from RedirectToLoginPage() statement to the next line without to be redirected.
I found out that there are two solutions.
Either to modify FormsAuthentication.RedirectToLoginPage(); to be
OR to modify the web.config by adding
In the second case, while tracing, control didn't reach the requested page. It has been redirected immediately to the login url before hitting the break point.
Hence, The SignOut() method isn't the issue, the redirect method is the one.
I hope that may help someone
Regards
我只是在这里尝试了一些建议,虽然我能够使用浏览器后退按钮,但当我单击菜单选择时,[ActionResult] 的 [Authorize] 令牌将我直接带回到登录屏幕。
这是我的注销代码:
虽然浏览器上的后退功能使我返回并显示安全菜单(我仍在研究该菜单),但我无法执行应用程序中安全的任何操作。
希望这可以帮助
I just tried some of the suggestions here and while I was able to use the browser back button, when I clicked on a menu selection the [Authorize] token for that [ActionResult] sent me right back to the login screen.
Here is my logout code:
Although the back function on the browser took me back and displayed the secured menu (I am still working on that) I was not able to do anything that was secured in the app.
Hope this helps
我已经尝试了该线程中的大多数答案,但没有运气。 最终结果是:
在这里找到它: http://forums.asp.net/t/ 1306526.aspx/1
I've tried most answers in this thread, no luck. Ended up with this:
Found it here: http://forums.asp.net/t/1306526.aspx/1
当我设置身份验证>时,这种情况开始发生在我身上。 表格>
Web.config中的路径属性。 删除它解决了问题,并且一个简单的FormsAuthentication.SignOut();再次删除了 cookie。This started happening to me when I set the authentication > forms > Path property in
Web.config. Removing that fixed the problem, and a simpleFormsAuthentication.SignOut();again removed the cookie.您可能从一个子域 (sub1.domain.com) 登录,然后尝试从另一子域 (www.domain.com) 注销。
It could be that you are logging in from one subdomain (sub1.domain.com) and then trying to logout from a different subdomain (www.domain.com).
我刚刚遇到了同样的问题,SignOut() 似乎未能正确删除票证。 但仅在特定情况下,某些其他逻辑导致重定向。 当我删除第二个重定向(用错误消息替换它)后,问题就消失了。
问题肯定是页面在错误的时间重定向,因此未触发身份验证。
I just had the same problem, where SignOut() seemingly failed to properly remove the ticket. But only in a specific case, where some other logic caused a redirect. After I removed this second redirect (replaced it with an error message), the problem went away.
The problem must have been that the page redirected at the wrong time, hence not triggering authentication.
我现在遇到了类似的问题,我相信我的情况以及原始海报的问题是由于重定向造成的。 默认情况下,Response.Redirect 会导致异常立即冒泡,直到捕获并立即执行重定向,我猜测这会阻止修改后的 cookie 集合传递到客户端。 如果您修改代码以使用:
这可以防止异常,并且似乎允许 cookie 正确发送回客户端。
I am having a similar issue now and I believe the problem in my case as well as the original poster is because of the redirect. By default a Response.Redirect causes an exception which immediately bubbles up until it is caught and the redirect is immediately executed, I am guessing that this is preventing the modified cookie collection from being passed down to the client. If you modify your code to use:
This prevents the exception and seems to allow the cookie to be properly sent back to the client.
只需尝试在按登录时发送会话变量即可。
在欢迎页面上,首先在页面加载或 Init 事件中检查该会话是否为空:
Just try to send a session variable when you press log in.
And on the welcome page, first check whether that session is empty like this in the page load or in the Init Event:
我想添加一些信息来帮助理解这个问题。 表单身份验证允许将用户数据存储在 cookie 中或 URL 的查询字符串中。 您的站点支持的方法可以在 web.config 文件中配置。
根据 Microsoft< /a>:
同时, 他们说:
最后,关于 UseDeviceProfile, 他们说:
总而言之,根据用户的浏览器,默认配置可能会导致 CookiesSupported 为 true,这意味着 SignOut 方法不会从 cookie 中清除票证。 这似乎违反直觉,我不知道为什么它会这样工作——我希望 SignOut 在任何情况下都能实际注销用户。
使 SignOut 自行工作的一种方法是在 web.config 文件中将 cookie 模式更改为“UseCookies”(即需要 cookie):
根据我的测试,这样做会使 SignOut 自行工作,但会损害您的网站现在需要 cookie 才能正常运行。
I wanted to add some information to help understand the problem. Forms Authentication allows for storing user data either in a cookie, or in the query string of the URL. The method your site supports can be configured in the web.config file.
According to Microsoft:
At the same time, they say:
Lastly, regarding UseDeviceProfile, they say:
Piecing this all together, depending on the user's browser, the default configuration may result in CookiesSupported being true, which means the SignOut method doesn't clear the ticket from the cookie. This seems counter-intuitive and I don't know why it works this way -- I would expect SignOut to actually sign the user out under any circumstances.
One way to make the SignOut work by itself is to change the cookie mode to "UseCookies" (i.e. cookies are required) in the web.config file:
According to my tests, doing this makes SignOut work by itself at the cost of your site now requiring cookies to function properly.
对我来说,以下方法有效。 我认为如果“FormsAuthentication.SignOut()”语句后出现任何错误,SingOut 将不起作用。
For me, the following approach works. I think if there is any error after the "FormsAuthentication.SignOut()" statement, SingOut doesn't work.
您是否使用 IE 测试/查看此行为? IE 可能正在从缓存中提供这些页面。 众所周知,让 IE 刷新其缓存非常困难,因此在很多情况下,即使在您注销后,输入“安全”页面之一的 URL 也会显示之前缓存的内容。
(即使您以其他用户身份登录,并且 IE 在页面顶部显示“欢迎”栏,并显示旧用户的用户名,我也看到过这种行为。现在,通常重新加载会更新它,但如果它是持久的,这仍然可能是一个缓存问题。)
Are you testing/seeing this behaviour using IE? It's possible that IE is serving up those pages from the cache. It is notoriously hard to get IE to flush it's cache, and so on many occasions, even after you log out, typing the url of one of the "secured" pages would show the cached content from before.
(I've seen this behaviour even when you log as a different user, and IE shows the "Welcome " bar at the top of your page, with the old user's username. Nowadays, usually a reload will update it, but if it's persistant, it could still be a caching issue.)
执行 Session.abandon() 并销毁 cookie 效果非常好。 我正在使用 mvc3,如果您转到受保护的页面、注销并查看浏览器历史记录,似乎就会出现问题。 没什么大不了的,但还是有点烦人。
不过,尝试浏览我的网络应用程序上的链接是正确的。
将其设置为不进行浏览器缓存可能是可行的方法。
Doing Session.abandon() and destroying the cookie works pretty good. I'm using mvc3 and it looks like the problem occurs if you go to a protected page, log out, and go via your browser history. Not a big deal but still kinda of annoying.
Trying to go through links on my web app works the right way though.
Setting it to not do browser caching may be the way to go.
对于 MVC 这对我有用:
For MVC this works for me:
请注意,如果来自 STS 的 wsignoutcleanup 消息与 IIS 中的应用程序名称与 url 不匹配,WIF 将拒绝告诉浏览器清理 cookie,我的意思是区分大小写< /强>。 WIF 使用绿色“确定”检查进行响应,但不会向浏览器发送删除 cookie 的命令。
因此,您需要注意网址的大小写敏感性。
例如,ThinkTecture Identity Server 将访问 RP 的 url 保存在一个 cookie 中,但它使它们全部小写。 WIF 将收到小写的 wsignoutcleanup 消息,并将其与 IIS 中的应用程序名称进行比较。 如果不匹配,则不会删除 cookie,但会向浏览器报告“正常”。 因此,对于这个 Identity Server,我需要将 web.config 中的所有 url 和 IIS 中的所有应用程序名称都写成小写,以避免此类问题。
如果您有 STS 子域之外的应用程序,也不要忘记在浏览器中允许第三方 cookie,否则即使 WIF 告诉他,浏览器也不会删除 cookie。
Be aware that WIF refuses to tell the browser to cleanup the cookies if the wsignoutcleanup message from STS doesn't match the url with the name of the application from IIS, and I mean CASE SENSITIVE. WIF responds with the green OK check, but will not send the command to delete cookies to browser.
So, you need to pay attention to the case sensitivity of your url's.
For example, ThinkTecture Identity Server saves the urls of the visiting RPs in one cookie, but it makes all of them lower case. WIF will receive the wsignoutcleanup message in lower case and will compare it with the application name in IIS. If it doesn't match, it deletes no cookies, but will report OK to the browser. So, for this Identity Server I needed to write all urls in web.config and all application names in IIS in lower case, in order to avoid such problems.
Also don't forget to allow third party cookies in the browser if you have the applications outside of the subdomain of STS, otherwise the browser will not delete the cookies even if WIF tells him so.