SSO 的 .Net Forms 身份验证 Cookie 过期问题
在讨论这个问题之前,让我先描述一下我的设置。 我有两个使用表单身份验证的 Web 服务器(www.mydomain.com 和 www2.mydomain.com)。 在每个网络服务器上,我都有一个用于身份验证的主应用程序和许多子应用程序。 它看起来有点像这样:
www.mydomain.com
|__MainApp (.Net 2.0)
|__SubApp1 (.Net 1.1)
|__SubApp2 (.Net 2.0)
|__SubApp3 (.Net 2.0)
www2.mydomain.com
|__MainApp (.Net 2.0)
|__SubApp1 (.Net 1.1)
|__SubApp2 (.Net 2.0)
|__SubApp3 (.Net 2.0)
正如您所看到的,我正在运行 .Net 1.1 和 2.0 应用程序的混合同一个服务器。 现在,我一直在尝试提出一个适用于此设置的单点登录 (SSO) 解决方案,并且已经部分成功。 由于标记中的域属性与 .Net 1.1 不兼容(它会导致应用程序抛出异常),因此我决定以编程方式设置生成的表单身份验证 cookie 的域。 这工作正常,我可以在两个服务器之间导航,而无需再次登录。 当服务器尝试重新发出/更新 cookie 并在启用 movingExpiration 的情况下更新其过期时间时,就会出现此问题。 我生成的 cookie 是使用“mydomain.com”作为域创建的,但是当服务器尝试以新的过期时间重新发布它时,它找不到它并生成一个全新的 cookie,其中“www.mydomain.com”为域。
无论如何,有没有办法让服务器正确地重新发布带有自定义域的原始 cookie?
Let me describe my setup a little before I get into the problem. I have two web servers (www.mydomain.com and www2.mydomain.com) using Forms Authentication. On each web server I have a main application for authentication and numerous sub-apps. It looks kind of like this:
www.mydomain.com
|__MainApp (.Net 2.0)
|__SubApp1 (.Net 1.1)
|__SubApp2 (.Net 2.0)
|__SubApp3 (.Net 2.0)
www2.mydomain.com
|__MainApp (.Net 2.0)
|__SubApp1 (.Net 1.1)
|__SubApp2 (.Net 2.0)
|__SubApp3 (.Net 2.0)
As you can see, I'm running a mix of .Net 1.1 and 2.0 applications on the same server. Now I've been trying to come up with a Single Sign- On (SSO) solution that works with this setup and I've partially succeeded. Because the domain attribute in the tag is incompatible with .Net 1.1 (it causes the apps to throw an exception), I decided to programmatically set the domain of the forms authentication cookie generated. This works fine and I can navigate between the two servers without having to login again. The problem occurs when the server tries to reissue/renew the cookie and update its expiration with slidingExpiration enabled. The cookie I generate gets created with "mydomain.com" as the domain, but when the server tries to reissue it with a new expiration, it can't find it and generates a brand new cookie with "www.mydomain.com" as the domain.
Is there anyway to have the server properly reissue the original cookie with the custom domain?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我们有几乎相同的设置(两个 Web 服务器,1.1、2.0 和 3.5 应用程序的混合)和使用表单身份验证的 SSO。 我们已经让它可以毫无问题地滑动过期。
一个区别是我们的两个 Web 服务器被设置为一个 Web Farm(如果我没记错的话,使用 Server 2k3 中的 MS 集群)。 这意味着两台机器被分配到同一个域。 您可以将两台服务器切换为网络场吗?
We have an almost identical setup (two web servers, a mix of 1.1, 2.0 and 3.5 app's) and SSO using forms authentication. And we've got it working with sliding expiration with no problem.
The one difference is that our two web servers are setup as a web farm (using the MS Clustering in Server 2k3 if I remember correctly). This means that both machines are assigned to the same domain. Can you switch your two servers to be a web farm?
如果我们走这条路,这将是一个长期的解决方案。 短期内,我只是希望看看是否有人知道为什么框架无法找到并重新发布现有的 cookie。
If we were to go that route, it would be more of a long-term solution. In the short term, I was just hoping to see if anyone knew why the framework is unable to find and reissue the existing cookie.
我的解决方案是将表单身份验证域属性添加到 .Net 2.0 框架的全局 Web.config (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config)。 它没有解决我的 .Net 1.1 应用程序的问题,但我的大多数应用程序都在 2.0 上。 我可能只使用 HTTPModule 来处理 .Net 1.1 应用程序的滑动过期。
My solution was to add the Forms Authentication domain attribute to the global Web.config for the .Net 2.0 framework (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Web.config). It doesn't fix the issue for my .Net 1.1 apps, but the majority of my apps are on 2.0. I'll probably just use an HTTPModule to handle the sliding expiration for the .Net 1.1 apps.