问题
We have multiple Asp.Net MVC application's with Single Sign On where we pass encrypted string using FormsAuthentication.Encrypt() method and pass it as a query string and decrypt the same string using FormsAuthentication.Decrypt().
Since both sites were developed in Asp.Net MVC we are able to use Forms Authentication and able to decrypt the string.
Now we are developing a new project in Asp.Net Core where we pass a encrypted string as query string from Asp.Net MVC and have to decrypt in Asp.Net Core web application.
Is there any alternative to decrypt the string in Asp.Net Core
Note: We are not using Asp.Net Identity
//Encryption
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "Name", DateTime.Now, DateTime.Now.AddMinutes(60), true, "DataToEncrypt");
string encrypted = FormsAuthentication.Encrypt(ticket);
Response.Redirect("siteUrl?CookieName="+encrypted );
//Decryption
HttpCookie authCookie = Request.Cookies["CookieName"];
var formsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value);
string _userData = formsAuthenticationTicket.UserData;
回答1:
No, what you were doing before depended on both applications sharing the same machine key, so that they both encrypt/decrypt in the same way. ASP.NET Core does not support the concept of machine keys and does not use them for encryption. Instead, it uses data protection providers. As such there is no possible way to decrypt a value in ASP.NET Core that was encrypted in an ASP.NET app based on machine key. Full stop.
That said, the data protection provider concept used in ASP.NET Core can be used in ASP.NET, but that will obviously require you to change your current design to utilize data protection provider to encrypt/decrypt instead of your current methodology. Then, assuming that the provider is configured the same across all the apps, then you'll be able to decrypt in ASP.NET Core. Namely that requires that the keyring used by the data protection provider is in a shared location that all the apps can access, and that all the apps are configured to use the same application name.
Please refer to the documentation for how to set this up. The documentation is geared towards both cookie sharing and auth, but what this is really about it shared encryption schemes, so setting up data protection bits mentioned in the docs will be enough.
来源:https://stackoverflow.com/questions/58713536/formsauthentication-decrypt-in-asp-net-core