ASP.NET 4 中的多个域安全问题
最近,我的公司除了www.companyname.com 之外,还添加了第二个域名companyname.com。我们最近还开始在我们的网站中发现一些奇怪的安全问题,我想知道它们是否可能相关。
特别是,有时人们在网站上似乎会失去自己的角色。因此,例如,他们能够导航到一个页面(受保护),但随后经过验证的页面的一个或多个受保护部分将表现得好像他们不具有我所知道的某些角色他们有。
这两个域是否有可能以某种方式干扰另一个域的 cookie/验证并导致安全框架不返回任何角色?如果是这样,有什么方法可以纠正这种行为吗?
我们正在使用开箱即用的表单身份验证。
Recently my company added a second domain companyname.com in addition to www.companyname.com. We also recently started seeing some odd security issues within our site and I was wondering if they might be related.
In particular, it seems like sometimes people lose their roles while on the site. So, for example, they are able to navigate to a page (which is secured), but then one or more of the secured pieces of the page that they are validated for will act like they don't have some of the roles I know they have.
Is it possible that somehow the two domains are interfering with the cookies/validation of the other one and causing the security framework to return no roles? If so, is there any way to correct this behavior?
We are using out of the box Forms authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
默认情况下,存储在 cookie 中的令牌与您站点的域一致。您需要将其设置为一致,否则不会共享:FormsAuthentication.CookieDomain 属性
将其设置为 yourcompany.com,应该没问题。我相信您可以在 web.config 中更改此值,因此您不需要重建您的应用程序。
By default the token stored in the cookie goes with the domain of your site. You'll need to set it to be consistent, otherwise it won't be shared: FormsAuthentication.CookieDomain property
Set it to yourcompany.com, and it should be fine. I believe you can change this value in the web.config, so you shouldn't need to rebuild your app.