Asp.Net表单与子域的身份验证
[英]Asp.Net Forms Authentication with Subdomains
问题描述
I am running a single asp.net 4.5.2 application using mvc 5. I have custom routines made to handle subdomains for each Area of the application. 
我正在使用mvc 5运行一个asp.net 4.5.2应用程序。我有一些自定义的例程来处理应用程序每个区域的子域。
I have my user auth within one of the Areas (Profile), which is it's own subdomain. 我在区域(配置文件)之一中拥有用户身份验证,这是它自己的子域。 In the navigation bar, there is a login form that POSTs to the Login() action of the Profile controller. 在导航栏中,有一个登录表单,该表单张贴到Profile控制器的Login()操作中。 Since this is a subdomain, I am setting the domain info for the auth manually to have it work across all subdomains. 由于这是一个子域,因此我将手动设置auth的域信息,以使其在所有子域中均有效。
For the life of me, I cannot figure out how to get it to work. 对于我的一生,我无法弄清楚如何使其正常工作。 I've tried setting the Form Auth domain to the TLD, the TLD with a . 我尝试将Form Auth域设置为TLD,该TLD使用。 in front, with the forms info in webconfig, and without. 前面,包含webconfig中的表单信息,不包含。
Here are the important bits concerning forms auth: 以下是有关表单身份验证的重要信息:
Web.Config Web.Config中
<system.web>
<authentication mode="Forms">
<forms domain=".teknik.io" protection="All" enableCrossAppRedirects="true" name="TeknikAuth" />
</authentication>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
</system.webServer>
Profile Controller 配置文件控制器
public ActionResult Login(LoginViewModel model)
{
...
authcookie.Name = "TeknikAuth";
authcookie.HttpOnly = true;
authcookie.Secure = true;
authcookie.Domain = string.Format(".{0}", Config.Host); // ".teknik.io"
Response.Cookies.Add(authcookie);
...
}
Update 1 更新1
I have determined that it is working on my dev domain (single domain), and when I then visit the main domain, the cookie is still working. 我确定它正在我的开发域(单个域)上工作,然后当我访问主域时,cookie仍在工作。 The only difference between the two is that on dev, the login request is on the same subdomain, while on production, it is sending the request to another subdomain. 两者之间的唯一区别是,在dev上,登录请求在同一子域上,而在生产环境中,它将请求发送到另一个子域。
1 个解决方案
解决方案1
1 已采纳 2016-02-04 20:14:03
So I figured out what was wrong. 因此,我找出了问题所在。 When logging in (and setting the cookie), I was sending a post request to a different domain than the one I was currently on (profile.teknik.io/Login). 登录(并设置cookie)时,我正在将发布请求发送到与我当前所在的域不同的域(profile.teknik.io/Login)。 This for some reason was not setting the proper cookie, so no auth was occurring. 由于某种原因,这没有设置正确的cookie,因此没有进行身份验证。 Once I moved the login to the parent domain, the auth works correctly across subdomains. 一旦我将登录名移到父域,身份验证就可以在子域之间正常工作。
Update 1 更新1
The real issue was the ajax request for logging in. It did not have CORS enabled, so once I did that, and added the appropriate allow headers, the request would work and the cookies would be saved correctly. 真正的问题是ajax登录请求。它没有启用CORS,因此一旦我启用了CORS,并添加了适当的allow标头,该请求就会生效,并且cookie会正确保存。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.