IE8&打开多个浏览器时 ASP.Net 表单身份验证 Cookie 失败
我的登录页面上有以下代码。我用它来设置客户的登录超时。在 IE8 中,我遇到这样的问题:如果用户打开另一个浏览器窗口,然后在第一个窗口中注销,当他们重新登录时,他们会在一个页面后(每次)弹回到登录状态。如果他们不打开另一个浏览器,一切都很好。
我发现了很多与此相关的问题,但我发现唯一有效的解决方案是使用 cookieless 方法 (URI)。
我看到一些文章说要设置域,我正在这样做,但这不起作用。另外,我尝试将 authticket 设置为持久和非持久。两者都没有产生任何影响。我已经看到,一旦身份验证 cookie 从文件夹中消失,当我登录时它就不会重新创建。
如果我将第二个浏览器窗口作为“新会话”打开,我不会遇到任何问题。 (这是不切实际的,因为我们无法训练应用程序的每个用户以这种方式打开任何其他窗口。)
是否有任何人发现不涉及使用 cookieless URI 方法的解决方案?
int timeoutValue = 20 // This value is actually returned from a method;
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(LoginControl.UserName, false, timeoutValue);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authCookie.Domain = "my.domain";
authCookie.Expires = DateTime.Now.AddMinutes(timeoutValue);
HttpContext.Current.Response.Cookies.Add(authCookie);
I have the code below on a login page. I'm using this to set the login timeout by customer. In IE8 I'm running into the problem that if a user opens another browser window, then logs out in the first window, when they relog back in they get bounced back to the login after a single page (every time). If they don't open another browser, everything is fine.
I've found ALOT of questions about this, but the only solution I've found that works is to use the cookieless method (URI).
I've seen a few articles saying to set the domain, which I'm doing, but that doesn't work. Also, I've tried setting the authticket to both persistent and non-persistent. Neither has made a difference. I have seen that once the auth cookie is gone from the folder, it doesnt get recreated when I log in.
If I open that second browser window as a "New Session" I don't have any problems. (This isn't practical as we cant train every user of the app to open any additional windows this way.)
Is there a fix for this that anyone has found that doesn't involves using the cookieless URI approach?
int timeoutValue = 20 // This value is actually returned from a method;
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(LoginControl.UserName, false, timeoutValue);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authCookie.Domain = "my.domain";
authCookie.Expires = DateTime.Now.AddMinutes(timeoutValue);
HttpContext.Current.Response.Cookies.Add(authCookie);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是 Internet Explorer 的一项“功能”,用于跨浏览器窗口共享 cookie/会话。
因此,在 IE8 中创建“新会话”的新“功能”。
因此,我不认为有任何理想的方法可以轻松阻止这种行为。
当然,除了无cookie之外。
This a "feature" of Internet Explorer to share cookies/session across browser windows.
Hence the new "feature" to create a "New Session" in IE8.
Therefore I do not believe there is any ideal way of easily stopping this behaviour.
Other than going cookieless of course.
我知道这是一个老问题,但我一直在与同样的问题作斗争,我相信我有解决办法。我已经复制了这些确切的症状,并且也能够成功消除它们(至少到目前为止)。
只有在您想要持久身份验证票证时才在 cookie 上设置过期时间才能消除我的问题。
这是我现在的方法:
以下是我如何调用它:
我意识到通过调用它的方式,不需要 CreateAuthenticationCookie 方法上的“记住我”参数(因为我总是在这种情况),但我还没有重构它,它更好地展示了其他人可能想要如何使用它。
如果用户选择不“记住我”,我想要一种轻松滑动过期的方法,但如果他们确实选择“记住我”,我不想被限制在非“记住我”的 30 分钟超时用户。我的目的是,如果有人使用公共计算机,他们会获得滑动过期时间,并且不会记住我,但如果他们使用个人计算机,他们可以“记住我”,而不会受到 web.config 中超时设置的限制。不知道这一切都适用于您的情况,但我希望它对某人有所帮助,或者我的方法可以引起一些建设性的批评,以便我可以在需要时进行调整。
附言。以下是我的表单身份验证的 web.config 设置:
I know this is a old question, but I have been battling this same problem and I believe I have a fix. I have replicated these exact symptoms and have also been able to successfully eliminate them (at least so far).
Only putting an expiration on the cookie if you want a persistent auth ticket is eliminating the problem for me.
Here is my method as it now stands:
And here is how I call it:
I realize that by the way I am calling it, there is no need for the "remember me" parameter on the CreateAuthenticationCookie method (since I always pass true in that case), but I haven't refactored it yet and it better demonstrates how someone else may want to use it.
I wanted a way to easily have a sliding expiration if the user chose to not "remember me", but if they did choose "remember me" I didn't want to be constrained to the 30 minute timeout of my non "remember me" users. My purpose was so that if someone is using a public computer they get the sliding expiration plus no remember me, but if they are using a personal computer they can "remember me" and not be constrained by the timeout setting in the web.config. Don't know that this all applies to your situation, but I am hoping it helps someone or that my methodology can draw some constructive criticism so that I can make adjustments if needed.
PS. Here are my web.config settings for forms authentication: