不同的用户获得相同的 cookie - .ASPXANONYMOUS 中的值

发布于 2024-08-25 01:02:59 字数 1624 浏览 11 评论 0原文

我的网站允许匿名用户。 我发现在重负载下,匿名用户有时会从其他用户那里获取配置文件值。

我首先删除我的 cookie,并在 cookie 值 .ASPXANONYMOUS 中获取有效的唯一值。经过几次请求后,我得到了 .ASPXANONYMOUS 的新值,该值已被其他用户使用。我在日志中看到始终有几个用户在 .ASPXANONYMOUS 中共享相同的值。

我可以在我的日志中看到,2 个或更多用户确实获得了相同的 .ASPXANONYMOUS cookie 值,即使他们具有不同的 IP。

这里是http流量。在第二张图片中,显示了正在变化的 cookie(您必须显示完整尺寸的图片才能读取日志):

可以正常工作的众多请求之一:

替代文本 http://img413.imageshack.us/img413/2711/log1.gif

然后这是一个更改 cookie 的请求 替代文本 http://img704.imageshack.us/img704/8175/log2.gif

然后使用新的 cookie

alt text http:// img704.imageshack.us/img704/3818/log3.gif

为了安全起见,我删除了依赖注入。 我不使用输出缓存。

我的 web.config 有这样的身份验证设置:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

有人知道我还可以记录什么或者我应该看看什么吗?

更新

我现在看到我显示的http流量是完全有效的。 .ASPXANONYMOUS 中的值发生变化是因为 cookie 被刷新而发生的。该值包含 AnonymousID 和时间戳。

这不会导致用户在正常情况下在 .ASPXANONYMOUS 中具有相同的值。

真正的问题是,每当从 AnonymousIdentificationModule 设置 cookie 时,就有可能有几个用户获得此 cookie。在我的应用程序中设置 cookie 不会产生这种奇怪的副作用。

My site allows anonymous users.
I saw that under heavy load anonymous users get sometimes profile values from other users.

I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.

I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.

Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):

One of the many requests that work ok:

alt text http://img413.imageshack.us/img413/2711/log1.gif

Then there is this one request that changes the cookie
alt text http://img704.imageshack.us/img704/8175/log2.gif

Then the new cookie is used

alt text http://img704.imageshack.us/img704/3818/log3.gif

Just to be safe I removed dependency injection.
I dont use OutputCaching.

My web.config has this setting for authentication:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

Does anybody have an idea what else I could log or what I should have a look at?

UPDATE

I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.

This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.

The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

悍妇囚夫 2024-09-01 01:02:59

我遇到了同样的问题,解决方案是关闭调用 SetCookie 的响应的输出缓存。以下是描述此问题的几个链接

I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this

梦中楼上月下 2024-09-01 01:02:59

您是否在代码中声明了任何静态变量?我有这个类似的问题,并将其缩小到这一点;至少对于我的情况来说。

Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文