简体繁体 English

在没有QueryStrings的Response.Redirect上传递参数

[英]Passing Parameters on Response.Redirect without QueryStrings

原文 2018-10-16 19:28:51 5 2 c#/ asp.net-mvc/ vbscript/ asp-classic

I am really just wondering if this is even possible. 我真的只是想知道这是否可能。 So we are in the process of redoing our website from Classic ASP to ASP.NET MVC. 所以我们正在将我们的网站从Classic ASP重做为ASP.NET MVC。 However, we are doing it a little bit at a time currently. 但是，我们目前正在做一点点。 We are splitting it into three new ASP.NET MVC projects that will each have their own domain. 我们将它分成三个新的ASP.NET MVC项目，每个项目都有自己的域。 The issue that I am running into is we want to login on one page (which is currently the existing Classic ASP), and then redirect them to the new domain while passing stuff like a SessionID. 我遇到的问题是我们想要在一个页面（当前是现有的经典ASP）上登录，然后在传递诸如SessionID之类的东西时将它们重定向到新域。

I got it working decently by storing information in the DB when they log in then sending it via QueryStrings. 我通过在登录时将信息存储在数据库中然后通过QueryStrings发送它来使其正常工作。 The issue is the manager wants me to not use QueryStrings due to possible information (like UserId) being sent there. 问题是管理员希望我不使用QueryStrings，因为可能的信息（如UserId）被发送到那里。 So he is suggesting sending it via headers. 所以他建议通过标题发送它。 This works by using a GET request and adding the information in the header. 这通过使用GET请求并在标头中添加信息来工作。 I cannot redirect via the GET as far as I know. 据我所知，我不能通过GET重定向。 I don't think redirecting via a POST would work either. 我不认为通过POST重定向也可以。

Is there a way to redirect from one domain to another while passing information that does not require QueryStrings? 有没有办法在传递不需要QueryStrings的信息时从一个域重定向到另一个域？ If you need more information let me know. 如果您需要更多信息，请告诉我。

2 个解决方案

You can't directly instruct the user's browser to send a header when it fetches the second website. 您无法直接指示用户的浏览器在获取第二个网站时发送标头。 Basically you're just giving it the address, and it will fetch the page by itself. 基本上你只是给它地址，它将自己获取页面。 What may be possible, if both sites have the same top-level domain (ie website1.example.com & website2.example.com ), which sounds likely, is that you could just use a cookie, stored on the base domain ( *.example.com ). 如果两个站点都具有相同的顶级域名（即website1.example.com和website2.example.com ），这听起来很可能，那么您可以使用存储在基本域中的cookie（ *.example.com ）。 So the flow would be - 所以流程将是 -

User logs in, you return a response with a Set-Cookie header and a Location header (this is the redirect). 用户登录后，您将返回带有Set-Cookie标头和Location标头的响应（这是重定向）。
User's browser stores the value(s) you asked it to store in it's cookie store. 用户的浏览器存储您要求它存储在其cookie存储区中的值。
User's browser makes a request to the site you redirected to. 用户的浏览器向您重定向到的站点发出请求。 Because you set the cookie at the base domain level, it will be sent to any *.example.com , basically meaning the second site will get a header ( Cookie ) with the info from the first site. 因为您在基本域级别设置cookie，它将被发送到任何*.example.com ，基本上意味着第二个站点将获得带有来自第一个站点的信息的标题（ Cookie ）。
In the second site, read the cookie, and do whatever logic you need. 在第二个站点中，阅读cookie，并执行您需要的任何逻辑。

Important to make clear (just because you referenced something that sounded like a security concern) - this is by no means safer than passing the parameter in the redirect itself - it's just a solution for what you asked. 重要的是要明确（仅仅因为你引用了一些听起来像安全问题的东西） - 这比在重定向本身中传递参数更安全 - 它只是你问的解决方案。 Don't use this method to pass information that you don't want exposed. 请勿使用此方法传递您不希望公开的信息。

Relevant - 相关 -

Share cookie between subdomain and domain 在子域和域之间共享cookie

ASP.NET Cookies Overview ASP.NET Cookie概述

There are a few options 1) If you can't use querystrings you could write the values into a form and POST (rather than GET). 有几个选项1）如果你不能使用查询字符串，你可以将值写入表单和POST（而不是GET）。 Put a javascript on it to autopost. 将javascript放在autopost上。 So user logs in on classic ASP, it writes the values to a form on next page and then auto submits that form. 因此，用户登录经典ASP，它将值写入下一页的表单，然后自动提交该表单。 This still isn't super secure, as the form fields could be read 2) To make more secure you could hash or encrypt the values in the form, if you were going this route you could encrypt all the fields and then pass via the query string 这仍然不是超级安全的，因为可以读取表单字段2）为了更安全，您可以散列或加密表单中的值，如果您使用此路由，您可以加密所有字段，然后通过查询传递串

We've had this situation before where main system was classic ASP, and a new part of the system was MVC ASP.NET. 在主系统是经典ASP之前我们遇到过这种情况，系统的新部分是MVC ASP.NET。 We used an encryption component on the ASP side (ASPEncrypt) and built in decryption in ASP.NET to get users to securely transfer between the systems while maintaining track of who was logged in. 我们在ASP端使用了一个加密组件（ASPEncrypt），并在ASP.NET中构建了解密，以便用户在系统之间进行安全传输，同时保持对谁登录的跟踪。