表单身份验证 - 需要 SSL - 设置身份验证 Cookie 失败
[英]Forms Authentication - Require SSL - Setting Authentication Cookie Fails
问题描述
I'm trying to configure my environment such that the authentication cookie can only be accessible through HTTPs (securing it from XSS attacks).
我正在尝试配置我的环境,以便只能通过 HTTPs 访问身份验证 cookie(保护它免受 XSS 攻击)。 I read several articles and I reached the conclusion that I should set the requireSSL attribute to "true"我阅读了几篇文章,得出的结论是我应该将 requireSSL 属性设置为“true”
<authentication mode="Forms">
<forms name="someName" loginUrl="~/login" timeout="40" protection="All" slidingExpiration="true" defaultUrl="~/index" requireSSL="true" />
</authentication>
The problem is that when I'm trying to set the Authentication cookie, it throws an exception.问题是,当我尝试设置身份验证 cookie 时,它会引发异常。
FormsAuthentication.SetAuthCookie(username, false);
Exception:例外:
The application is configured to issue secure cookies.该应用程序被配置为发出安全 cookie。 These cookies require the browser to issue the request over SSL (https protocol).这些 cookie 要求浏览器通过 SSL(https 协议)发出请求。 However, the current request is not over SSL.但是,当前请求不是通过 SSL。
Stack trace:堆栈跟踪:
System.Web.HttpException: The application is configured to issue secure cookies. System.Web.HttpException: 应用程序配置为发出安全 cookie。 These cookies require the browser to issue the request over SSL (https protocol).这些 cookie 要求浏览器通过 SSL(https 协议)发出请求。 However, the current request is not over SSL.但是,当前请求不是通过 SSL。
at System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath)在 System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath)
The problem occurs on my local machine (even though it's configured for HTTPs access) and on the live server as well (which is also on HTTPs)问题出现在我的本地机器上(即使它被配置为 HTTPs 访问)和实时服务器上(也在 HTTPs 上)
Can anyone help me with this issue?谁能帮我解决这个问题? Thanks.谢谢。
2 个解决方案
解决方案1
4 2013-11-13 14:48:21
This is a bit beside the point, but still relevant to what you're trying to accomplish.这有点离题,但仍然与您要实现的目标相关。 Your assumption that using the Secure flag on a cookie will protect it from XSS is incorrect.您认为在 cookie 上使用Secure标志可以保护它免受 XSS 攻击的假设是不正确的。 The secure flag simply means that the cookie will only be sent via HTTPS.安全标志仅表示 cookie 将仅通过 HTTPS 发送。
The flag you're actually looking for is the HttpOnly flag.您实际要查找的标志是HttpOnly标志。 The HttpOnly flag will cause the browser to only make the cookie available as a part of HTTP/S requests. HttpOnly标志将导致浏览器仅将 cookie 作为 HTTP/S 请求的一部分提供。 The browser will then deny client side code (JavaScript, Flash, etc.) access to the cookie, thus protecting it against XSS.然后浏览器将拒绝客户端代码(JavaScript、Flash 等)访问 cookie,从而保护它免受 XSS 的侵害。
All that being said, you should use both flags to protect sensitive cookies (like session cookies).话虽如此,您应该使用这两个标志来保护敏感 cookie(如会话 cookie)。
解决方案2
0 2020-01-13 04:25:10
Deleting localhost certificates and recreating them by repairing IIS Express fixed this error in my case.在我的情况下,删除本地主机证书并通过修复 IIS Express 重新创建它们修复了此错误。 I've followed the steps mentioned in this guide and that solved the issue on Visual Studio 2019.我已按照本指南中提到的步骤操作,并解决了 Visual Studio 2019 上的问题。
Visual Studio 2017 - Resolving SSL/TLS Connections Problems with IIS Express Visual Studio 2017 - 使用 IIS Express 解决 SSL/TLS 连接问题
Select the Project -> F4选择项目 -> F4
Select the Project Alt + Enter选择项目 Alt + Enter
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.