FormsAuthentication.SignOut 不适用于自定义域 Cookie
标题应该说明一切。
这是设置 cookie 的代码:
// snip - some other code to create custom ticket
var httpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encodedTicket);
httpCookie.Domain = "mysite.com";
httpContextBase.Response.Cookies.Add(httpCookie);
这是我退出网站的代码:
FormsAuthentication.SignOut();
环境:
ASP.NET MVC 3 Web 应用程序
IIS Express
Visual Studio 2010
- 自定义域:“http://localhost.www.mysite.com”
因此,当我尝试注销时,cookie 仍然存在。如果我去掉 httpCookie.Domain 行(例如默认为 null),它就可以正常工作。
我注意到的其他奇怪的事情是,当我设置域时,Chrome 不会在开发人员工具的资源部分中显示我的 cookie,但是当我不设置域时,它会显示。
其次,当我实际使用自定义域创建 cookie 时,在下一个请求中,当我从请求中读取 cookie(以解密它)时,cookie 在那里,但域为空?
我还尝试创建另一个同名的 cookie 并将过期时间设置为昨天。没有骰子。
这是怎么回事?有人可以帮忙吗?
Title should say it all.
Here's the code to set the cookie:
// snip - some other code to create custom ticket
var httpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encodedTicket);
httpCookie.Domain = "mysite.com";
httpContextBase.Response.Cookies.Add(httpCookie);
Here's my code to signout of my website:
FormsAuthentication.SignOut();
Environment:
ASP.NET MVC 3 Web Application
IIS Express
Visual Studio 2010
- Custom domain: "http://localhost.www.mysite.com"
So when i try and log-off, the cookie is still there. If i get rid of the httpCookie.Domain line (e.g default to null), it works fine.
Other weird thing i noticed is that when i set the domain, Chrome doesn't show my cookie in the Resources portion of developer tools, but when i dont set the domain, it does.
And secondly, when i actually create the cookie with the custom domain, on the next request when i read in the cookie from the request (to decrypt it), the cookie is there, but the domain is null?
I also tried creating another cookie with the same name and setting the expiry to yesterday. No dice.
What's going on? Can anyone help?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我相信如果您设置
domain属性在 web.config 中的forms元素上,与自定义 cookie 中的元素相同,它应该可以工作。 (编辑:该方法不起作用,因为 FormsAuthentication 上的 SignOut 方法在 cookie 上设置了您不是的其他标志,例如HttpOnly) code> 方法基本上只是将 cookie 的到期日期设置为 1999 年,并且需要域来设置正确的 cookie。如果您无法对域进行硬编码,您可以推出自己的注销方法:
身份验证 cookie 只是一个普通的 cookie;因此,您可以像删除任何其他 cookie 一样删除它: 使其过期并使其生效无效。
I believe if you set the
domainattribute on theformselement in you web.config, to the same as the one in your custom cookie, it should work. (EDIT: that approach won't work because the SignOut method on FormsAuthentication sets other flags on the cookie that you are not, likeHttpOnly) TheSignOutmethod basically just sets the cookie's expiration date to 1999, and it needs the domain to set the right cookie.If you can't hardcode the domain, you can roll your own sign out method:
An authentication cookie is just a plain cookie; so you would remove it the same way you would any other cookie: expire it and make it invalid.
我有类似的问题。就我而言,我将一些 userData 存储在 AuthCookie 中,并经历了与上述相同的效果,并且在每次请求进行身份验证时,读取 cookie 并将 userData 放入静态变量中。事实证明,在我的例子中,数据被保留在应用程序中。为了解决这个问题,我必须首先清除静态变量,然后使 cookie 过期。我在 AccountController 的 LogOff 方法中使用了以下内容:
希望这会有所帮助。
更新
提交后,我凭直觉将中间两行替换为:
...并且它在以前没有的地方工作得很好。
注意:
...不会触及 AuthCookie,它只是将我编写的静态类重置为默认值。
再次希望这会有所帮助。
I had a similar problem. In my case, I was storing some userData in the AuthCookie and experienced the same effects as described above, and upon authentication at each request, reading the cookie and putting the userData in a static variable. It turned out in my case that the data was being persisted in the application. To get around it, I had to first clear my static variable, and then expire the cookie. I used the following in the LogOff method of my AccountController:
Hope this helps.
UPDATE
On a hunch after submitting, I replaced the middle two lines with:
... and it worked fine where it didn't before.
Note:
... does not touch the AuthCookie, it just resets the static class I wrote to default values.
Again, hope this helps.