大型 FedAuth Cookie (FedAuth4) 仅包含 7 个声明
我正在努力弄清楚为什么只有 7 个声明的 ClaimsPrincipal 会从 FAM 生成 5 个 FedAuth Cookie(FedAuth1、FedAuth2、FedAuth3、FedAuth4)。
这会导致问题,因为 Safari 会截断我的 cookie,并且我的 Mac 用户无法登录。
有什么想法为什么我可能会遇到这种情况或者我可以在哪里找到答案吗?
更新:正如 Eugenio 所指出的,设置 SaveBootstrapTokens=false 将 cookie 从 5 个缩小到 2 个,现在 safari 用户可以登录。
I'm struggling to figure out why a ClaimsPrincipal with only 7 claims is producing 5 FedAuth Cookies (FedAuth1, FedAuth2, FedAuth3, FedAuth4) from the FAM.
This is causing problems as Safari is truncating my cookies and my mac users are unable to login.
Any ideas why I might be experiencing this or where I can look to figure it out?
UPDATE: As pointed out by Eugenio setting SaveBootstrapTokens=false shrunk the cookies from 5 back to 2 and now safari users can log in.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这些主张包含什么内容?声明的数量会影响代币的大小,但他们所拥有的信息也会影响代币的大小。 FedAuthx cookie 本质上是经过加密和分块的整个令牌(更具体地说是 SessionToken)。
作为替代方案,您可以考虑使用 WIF“会话模式”,它将令牌存储在服务器端。权衡是必须管理服务器端状态及其后果(例如跨网络场的状态等)
更新:
您可以通过附加配置来控制每个 cookie 的大小。但最小大小为 1000,并且您无法控制 cookie 的总量。
本文中提到的解决方法似乎与上面解释的 WIF 使用“会话模式”开箱即用的方法类似。我建议使用这种方法而不是自定义方法。 Vittorio 的文章对此进行了很好的解释:http://blogs.msdn.com/b/vbertocci/archive/2010/05/26/your-fedauth-cookies-on-a-diet-issessionmode-true.aspx
What do these claims contain? The number of claims will affect the size of the token, but so will the information they have. The FedAuthx cookies are essentially the entire token (more specifically a SessionToken), encrypted and chunked.
As an alternative you can consider using WIF "session mode" which will store the token on the server side. The tradeoff is having to manage the server side state and its consequences (e.g. state across web farms, etc)
Update:
You can control the size of each cookie with additional config. The minimum size is 1000 though and you can't control the total amount of cookies.
The workaround mentioned in the article seems similar to what WIF does out of the box with "session mode" explained above. I'd suggest using this approach instead of a custom one. Vittorio's article explains it very well: http://blogs.msdn.com/b/vbertocci/archive/2010/05/26/your-fedauth-cookies-on-a-diet-issessionmode-true.aspx
Cookie 限制是 WIF 和 Safari 的一个已知问题。请查看官方错误报告和解决方法,这有助于限制令牌的大小:
The cookie limitation is a known issue with WIF and Safari. Take a look here at the official bug report and work-around, which helps to limit the size of the token:
http://connect.microsoft.com/site642/feedback/details/573602/w-i-f-session-cookies-are-truncated-when-combined-size-4000-bytes-in-safari-and-opera