发表新帖
发表新帖

Why do ASP.NET Identity logins from one site get shared with different websites on the same machine?

后端 未结
关注
1 1979
没有蜡笔的小新
没有蜡笔的小新 2020-12-08 00:45

I create a brand new web application say \"WebApplication1\" - WebForms with Authentication set to Individual User Account. I don\'t add a single line of code to the auto ge

相关标签:
1条回答
  • 深忆病人
    2020-12-08 01:27

    If your server is configured to use Cookie Authentication the server will return a cookie to the browser containing encrypted and signed claims about the user.

    This cookie is by default named: .AspNet.ApplicationCookie.

    This cookie will be stored in your browser until it expire (default 14 days and sliding expiry) or you explicitly sign out which deletes the cookie.

    If you open another tab or window of the same browser type, after you have logged in, it will also have the same cookie and pass it when sending requests to either of your two web sites.

    If both sites are configured to look for the the same cookie name they will both see it and be able to decrypt the authentication cookie as they share the same machine and thus the machine key which is used by the server to encrypt/decrypt and sign the cookie. There's nothing in the cookie telling which site within the same server it belongs to, so the "User1" claim which is stored in your website WebApplication1 will be regarded as authenticated on WebApplication2. The OWIN authentication middleware will not check the database if there is a valid cookie in an incoming request. It will simply use the presented encrypted claims (username, possibly roles and other) in the cookie.

    If you set the CookieName differently on in your two webapplications they will not use the same authentication cookie and hence a user authenticated in one site will not be authenticated on the other.

    You can set the CookieName in your Startup.Auth.cs like this:

    public partial class Startup
{
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            CookieName = "MyCookieName",

        });
    }
}
    0 讨论(0)
 看不清?
提交回复
热议问题