当前位置: 文江博客话题详情

卸载 SSL 时保护表单身份验证 Cookie

发布于 2024-09-29 03:47:49 字数 346 浏览 1 评论 0原文

我正在尝试使用 ASP.NET MVC 2.0 和表单身份验证来保护我当前正在开发的网站。为了保护表单身份验证cookie,我想将requiresSSL 属性设置为true,以便浏览器仅在连接处于SSL 下时才发送cookie,并且显然确保所有需要授权的资源都在SSL 下。

我的问题是,我们使用应用程序请求路由来实现许多功能,其中之一是 SSL 卸载,因此当请求到达我们场中的任何 Web 服务器时,该请求不再处于 SSL 下,并且 FormsAuthentication.SetAuthCookie 方法失败,因为当指定 requireSSL 时,需要 SSL 连接来设置 cookie。

任何人对这里的工作有任何想法!

谢谢

原文

I am attempting to secure a website I am currently developing using ASP.NET MVC 2.0 and forms authentication. In order to secure the forms authentication cookie I want to set the requiresSSL property to true so the cookie is only send by browsers when the connection is under SSL, and obviously ensure that all resources which require authorization are under SSL.

My problem is that we are using Application Request Routing to fulfil a number of functions, one being SSL offloading, therefore by the time a request hits any web server in our farm the request is no longer under SSL and the FormsAuthentication.SetAuthCookie method fails because an SSL connection is required to set the cookie when requiresSSL is specified.

Anyone have any ideas as to a work around here!

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

放血 2024-10-06 03:47:49

所以我有一个解决办法,但是如果有人有更好的想法,请随时发表评论。本质上,您需要在请求结束时拦截响应,并手动设置表单身份验证 cookie 上的 Secure 属性,非常明显,您还需要将表单身份验证配置中的 requireSSL 属性设置为 false。另请记住,我们不想为经过身份验证的用户启用整个站点的 HTTPS,因此需要解决此问题。

这种方法有一些注意事项以及一些需要注意的事项。

  1. 我在测试过程中发现表单身份验证 cookie 总是写入响应中,因此我不断用空身份验证 cookie 覆盖浏览器中的有效身份验证 cookie,为了解决这个问题,我在 HTTP 模块中包含了一些逻辑解决这个问题,请参阅下面的代码片段。

  2. 对需要授权的应用程序的所有请求都必须在 SSL 下,否则请求将不会包含身份验证 cookie 以验证用户身份。

  3. 因为您只传递 SSL 请求的身份验证 cookie,所以您需要另一种机制来告诉您的应用程序当前用户在浏览网站的非 SSL 区域时已通过身份验证,我已经使用一个附加 cookie 实现了这一点当用户登录时设置,并且没有设置过期日期,因此将在用户会话结束时过期,当然,如果用户注销,则该cookie将被删除。

下面是在 HTTP 模块中实现的影响上述内容的逻辑,我在过去的几个小时里一直在测试它,还没有遇到任何问题,如果我这样做了,我一定会更新这篇文章!

如果用户刚刚登录,我们应该只向客户端发送身份验证 cookie,逻辑如下:

  1. 如果请求有身份验证 cookie,则用户已经通过身份验证
    并且在 SSL 下,确保我们不会在
    回复。
  2. 如果请求没有 auth cookie 但有有效的
    响应中的 auth cookie,将响应 auth cookie 设置为安全,
    因此它仅由浏览器在 SSL 下传输。
  3. 如果请求没有 auth cookie 并且响应有
    验证 cookie 无效或为空,请确保我们删除响应 cookie
    所以我们不会覆盖客户端浏览器中的有效cookie。
private void EndRequest(object sender, EventArgs e)
{
    var application = (HttpApplication)sender;

    if (ValidRequest(application.Request) && application.Response.Cookies.Count > 0)
    {

        //only do the below if the user is not logging out the site, if the user is logging out we can 
        //leave the default forms authentication behaviour which is to expire the auth cookie
        if (application.Request.AppRelativeCurrentExecutionFilePath != "~/authentication/logoff")
        {
            var requestAuthCookie = application.Request.Cookies[FormsAuthentication.FormsCookieName];
            var responseAuthCookie = application.Response.Cookies[FormsAuthentication.FormsCookieName];

            if (requestAuthCookie != null && responseAuthCookie != null && responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
            else if (responseAuthCookie != null && !responseAuthCookie.Value.IsNullOrEmpty())
            {
                responseAuthCookie.Secure = true;
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
                application.Response.Cookies.Add(responseAuthCookie);
            }
            else if (responseAuthCookie == null || responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
        }
    }
}

So I have a work around for this, however if anyone has any better ideas please feel free to comment. Essentially you need to intercept the response at the end of the request and manually set the Secure property on the forms authentication cookie, pretty obvious really, you will also need to set the requireSSL property in the forms authentication configuration to false. Also bear in mind we do not want to enable HTTPS for the entire site for authenticated users hence this work around.

There are a couple of caveats to this approach and a few things to be aware of.

  1. I found during testing that the forms authentication cookie was always written to in the response, so I kept overwriting the valid authentication cookie in the browser with an empty authentication cookie, to get around this I included some logic in the HTTP module to work around this, see code snippet below.

  2. All requests to the application which require authorization must be under SSL, otherwise the request will not contain the authentication cookie in order to authenticate the user.

  3. Because you are only passing the authentication cookie for SSL requests you will need another mechanism to tell your application that the current user is authenticated when they browse the non SSL areas of the site, I have implemented this with an additional cookie which is set when the user logs in, and does not have an expiry date set, so will expire at the end of the users session, of course this cookie is removed if the user logs out.

Below is the logic implemented in an HTTP Module to affect the above, I have been testing this the last couple of hours and have not come across any problems yet, I will be sure to update this post if I do!

We should only ever send an authentication cookie to the client if the user has just logged in here's the logic

  1. If the request has an auth cookie the user is already authenticated
    and under SSL so ensure we do not send a new auth cookie in the
    response.
  2. If the request does not have an auth cookie but there is a valid
    auth cookie in the response, set the response auth cookie to secure,
    so it is only transmitted by the browser under SSL.
  3. If the request does not have an auth cookie and the response has an
    invalid or empty auth cookie, ensure we remove the response cookie
    so we dont overwrite the valid cookie in the client browser.
private void EndRequest(object sender, EventArgs e)
{
    var application = (HttpApplication)sender;

    if (ValidRequest(application.Request) && application.Response.Cookies.Count > 0)
    {

        //only do the below if the user is not logging out the site, if the user is logging out we can 
        //leave the default forms authentication behaviour which is to expire the auth cookie
        if (application.Request.AppRelativeCurrentExecutionFilePath != "~/authentication/logoff")
        {
            var requestAuthCookie = application.Request.Cookies[FormsAuthentication.FormsCookieName];
            var responseAuthCookie = application.Response.Cookies[FormsAuthentication.FormsCookieName];

            if (requestAuthCookie != null && responseAuthCookie != null && responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
            else if (responseAuthCookie != null && !responseAuthCookie.Value.IsNullOrEmpty())
            {
                responseAuthCookie.Secure = true;
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
                application.Response.Cookies.Add(responseAuthCookie);
            }
            else if (responseAuthCookie == null || responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
        }
    }
}
回复 原文
终难愈 2024-10-06 03:47:49

SSL 卸载应允许您建立从 SSL 卸载器到 Web 服务器的 SSL 连接。

从 SSL Offloader 到 Web 服务器的 SSL 连接应使用可用的最轻、最快(可能也是最弱)的加密。

这允许您使用安全 cookie,减少服务器上的加密负载并避免修改您的代码。

SSL offload should allow you to make a SSL connection from the SSL offloader to the web server.

The SSL connection from the SSL Offloader to the web server should use the lightest and fastest (and probably weakest) encryption available.

This allows you to use secure cookies, reduce the encryption load on the servers and avoid the modification of your code.

回复 原文
~没有更多了~

关于作者

静谧幽蓝

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文