Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
467 views
in Technique[技术] by (71.8m points)

asp.net - Proper creation of a cross-domain forms authentication cookie

I'm just creating a simple test between two server. Basically if a user has already authenticated I want to be able to pass them between applications. I changed the keys to hide them

I have three questions:

  1. What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for?
  2. Is the below code valid for creating a cross domain authentication cookie?
  3. Do I have my web.config setup properly?

My code:

if (authenticated == true)
{
  //FormsAuthentication.SetAuthCookie(userName, false);
  bool IsPersistent = true;
  DateTime expirationDate = new DateTime();
  if (IsPersistent)
    expirationDate = DateTime.Now.AddYears(1);
  else
    expirationDate = DateTime.Now.AddMinutes(300); 

  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
      1,
      userAuthName,
      DateTime.Now,
      expirationDate,
      IsPersistent,
      userAuthName,
      FormsAuthentication.FormsCookiePath);

  string eth = FormsAuthentication.Encrypt(ticket);
  HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, eth);
  if (IsPersistent)
    cookie.Expires = ticket.Expiration;

  cookie.Domain = ".myDomain.com";
  Response.SetCookie(cookie);
  Response.Cookies.Add(cookie);

  Response.Redirect("successpage.aspx");
}

My config:

<authentication mode="Forms">
  <forms loginUrl="~/Default.aspx" timeout="2880" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>
</authentication>
<customErrors mode="Off" defaultRedirect="failure.aspx" />
<machineKey decryptionKey="@" validationKey="*" validation="SHA1"  decryption="AES"/>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

What is the proper way to validate the cookie across domain application. For example, when the user lands at successpage.aspx what should I be checking for ?

There shouldn't be anything to check. Forms authentication mechanism will retrieve the ticket from the cookie, check if it is valid. If not present, or invalid, user will redirected to ~/Default.aspx . This will work provided your cookie matches the configuration of your web.config

Is the below code valid for creating a cross domain authentication cookie ?

I think you shouldn't try to override the settings of your web.config by manually handling the cookie. I think there are better ways for handling cookie persistence (see below for web.config) and you are just implementing a part of the Forms authentication API (loosing web.config for SSL for example )

  1. here, your manual cookie is not HttpOnly : you could for example be subject to cookie theft through XSS
  2. FormsAuthentication has its own way of handling the cookie (see the TimeOut attribute description in http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.80%29.aspx) Your cookie persistence mechanism will be overwritten by this automatic behavior

Your code should just be :

if (authenticated)
{  
  bool isPersistent = whateverIwant;
  FormsAuthentication.SetAuthCookie(userName, isPersistent );
  Response.Redirect("successpage.aspx");
}

Do I have my web.config setup properly?

It should be ok for the domain attribute, as long as you want to share authentication among direct subdomains of mydomain.com (it won't work for x.y.mydomain.com), and mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ )

I would change the timeout and slidingExpiration attributes to :

 <forms loginUrl="~/Default.aspx" timeout="525600" slidingExpiration="false" name=".AUTHCOOKIE" domain="myDomain.com" cookieless="UseCookies" enableCrossAppRedirects="true"/>

I guess it is a good way to handle the choice between one year persistent cookies and session cookies. See https://stackoverflow.com/a/3748723/1236044 for more info


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...