[英]Visual Studio 2015 and IIS Express Renews Session ID on Each Request
I have a problem with my WebForms project that the session ID is renewed on each request. 我的WebForms项目遇到问题,即每次请求都更新会话ID。 This problem does not occur on my standard IIS, so I concluded that it's a local issue with my development setup.
在我的标准IIS上不会发生此问题,因此我得出结论,这是我的开发设置中的本地问题。
For testing, I simply created an .aspx page with the following code: 为了进行测试,我只是使用以下代码创建了一个.aspx页面:
<%: HttpContext.Current.Session.SessionID %>
As stated, when I refresh this page locally, running Visual Studio 2015 and IIS Express, I get a new session ID with each request. 如前所述,当我在本地运行Visual Studio 2015和IIS Express刷新此页面时,每个请求都会获得一个新的会话ID。 (Debugging, checking the session contents and whatnot all yield the same result.)
(调试,检查会话内容以及所有这些都不会产生相同的结果。)
What's up with this, you think? 您认为这是怎么回事?
(I've seen claims that the browser link feature could cause similar issues. I don't understand how that could be, but nevertheless tried disabling it, restarting Visual Studio and whatnot, but to no avail.) (我已经看到声称浏览器链接功能可能会导致类似的问题。我不知道怎么可能,但尽管如此,还是尝试禁用它,重新启动Visual Studio,但无济于事。)
I'll be answering my own question this time: 这次我将回答自己的问题:
When further examining why the session cookie did not "stick", checking the response headers I suddenly realized that for some reason the server was trying to set the session cookie as "secure": 当进一步检查会话cookie为什么不“粘贴”的原因时,检查响应头时,我突然意识到,由于某种原因,服务器试图将会话cookie设置为“安全”:
Set-Cookie:ASP.NET_SessionId=lgkbje1igeprk3u53dsfbvtg; path=/; secure; HttpOnly
While this is not at all a bad thing per se, in my development setup it was unexpected. 尽管这本身并不是一件坏事,但在我的开发设置中却出乎意料。 I did not run the request over https, so consequently the session cookie was dropped.
我没有通过https运行请求,因此会话cookie被删除。
The culprit in this case, was to be found in the web.config
, where I had: 在这种情况下,罪魁祸首是在
web.config
找到的:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
This is all slightly embarrassing to me, but I thought it might be of help to someone in the future, the realization that the observed behavior (new session with each request) may come from trying to set the session cookie as "secure" without a secure connection, ie https
. 这一切都让我有些尴尬,但是我认为这可能对将来的某人有所帮助,这是因为意识到观察到的行为(每个请求都带有新会话)可能来自尝试将会话cookie设置为“安全”而没有安全连接,即
https
。
[EDIT] In response to a question in the comments about the ideal setting for different environments: [EDIT]回应评论中有关不同环境的理想设置的问题:
I don't think you can say there's an "ideal" setting for local, test or staging environment, as that depends entirely on your needs for each environment. 我认为您不能说本地,测试或暂存环境有一个“理想”的设置,因为这完全取决于您对每种环境的需求。
It's perhaps less arbitrary to talk about an "ideal" setting for production environments, or "live" as you say; 谈论生产环境的“理想”设置或您所说的“实时”设置可能不太随意。 For ASP.NET, personally I would always use:
对于ASP.NET,我个人将始终使用:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
To expand on the subject of security in general, I'd also make sure that the HSTS HTTP header is set. 为了扩展一般的安全性,我还要确保已设置HSTS HTTP标头。 Again, the exact approach to achieve this depends on your context, like what platform your using etc. In an older ASP.NET application, where AFAIK there is no better way, I'd put something in
Global.asax
along the lines of: 同样,实现此目标的确切方法取决于您的上下文,例如您所使用的平台等。在较旧的ASP.NET应用程序中,没有AFAIK的更好方法,我将在
Global.asax
放入以下内容:
protected void Application_BeginRequest(Object sender, EventArgs e) {
if(Request.IsLocal)
return;
switch (Request.Url.Scheme) {
case "https":
Response.AddHeader("Strict-Transport-Security", "max-age=300");
break;
case "http":
var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", path);
break;
}
}
Of course, there are other HTTP headers that is relevant for security as well, and other information that you should change the default configuration of your application and web server to NOT reveal. 当然,还有其他与安全性相关的HTTP标头,以及应更改应用程序和Web服务器的默认配置以不显示的其他信息。 Here are some links on the subject:
以下是有关此主题的一些链接:
Furthermore, I'd look to the machine.config
and set: 此外,我将查看
machine.config
并进行设置:
<deployment retail="true" />
This setting is supposed to ensure that debug mode is turned off and custom errors is turned on, so you do not accidentally leak things like stack traces and stuff. 此设置应确保关闭调试模式并打开自定义错误,因此您不会意外泄漏堆栈跟踪等内容。 Here's blog on the topic - another a nice Troy Hunt piece, like the one linked above - old, but still relevant:
以下是有关该主题的博客-另一个不错的Troy Hunt文章,就像上面链接的那篇文章-年代久远,但仍然很相关:
OWASP Top 10 for .NET developers part 6: Security Misconfiguration - Troy Hunt .NET开发人员的OWASP Top 10第6部分:安全性错误配置-Troy Hunt
解决了将此值添加到web.config
<sessionState cookieless="UseCookies" cookieName="AppNameSession"></sessionState>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.