堆栈内存溢出
  简体   繁体   English

在已登录的 session 上使用不同用户登录 OIDC

[英]OIDC login with different user on an already logged in session

 原文  2019-11-16 00:48:02       c#/ asp.net-core-mvc/ asp.net-identity/ openid-connect

问题描述

I have a scenario where user opens two login screens.我有一个用户打开两个登录屏幕的场景。 Enters credentials for user A and successfully logs into the system.输入用户A 的凭据并成功登录系统。 Now user goes back to the other login screen and enters credentials for user B .现在用户返回另一个登录屏幕并输入用户B的凭据。 The current behavior is that the browser window shows:当前行为是浏览器 window 显示:

This page isn't workingIf the problem continues, contact the site owner.此页面无法正常工作如果问题仍然存在,请联系网站所有者。 HTTP ERROR 400 HTTP 错误 400

The login method in controller is not reached instead the above error method is displayed in the browser window. controller中的登录方法没有到达,而是在浏览器window中显示上述错误方法。

How do I handle this scenario?我该如何处理这种情况?

在此处输入图像描述

1 个解决方案

解决方案1
 0  2019-11-17 18:33:11

As mentioned in my comment, your site is storing data inside cookies and this data seems to confuse the server.正如我在评论中提到的,您的网站将数据存储在 cookies 中,这些数据似乎使服务器感到困惑。 So the simple fix is to find out which cookie setting will confuse the server.所以简单的解决方法是找出哪个 cookie 设置会混淆服务器。 That part of the code needs to be changed.这部分代码需要更改。
At a minimum, your login page should create a session ID , which would be stored inside the cookie.至少,您的登录页面应创建一个 session ID ,该 ID 将存储在 cookie 中。 So if a user logs in and it notices an existing session cookie then don't continue to log in. The user is already logged in. Just forward the user to the normal page that he would see after logging in. He should be authenticated by now.因此,如果用户登录并注意到现有的 session cookie,则不要继续登录。用户已经登录。只需将用户转发到登录后将看到的正常页面。他应该通过以下方式进行身份验证现在。
As an alternative, you can choose to use cookieless session ID's.作为替代方案,您可以选择使用无 cookie session ID。 This will likely make the session ID part of the URL, which will require the use of SSL/HTTPS for your website to avoid hackers hijacking the session.这可能会使 session ID 成为 URL 的一部分,这将要求您的网站使用 SSL/HTTPS,以避免黑客劫持 Z21D6F40CFB511982E4424E0E250A9。 But the advantage is that you can log in as two different users using a single browser with two or more open tabs.但优点是您可以使用带有两个或更多打开选项卡的单个浏览器以两个不同的用户身份登录。
But fixing the error in the login code might be more practical.但是修复登录代码中的错误可能更实用。 You are using OpenID Connect so when a user logs in, first check if he's already authenticated.您正在使用OpenID Connect ,因此当用户登录时,首先检查他是否已经过身份验证。 (That would have happened on the second page.) If so, don't log them in again. (这会在第二页发生。)如果是这样,请不要再次登录。 But it depends on the code behind the login page that seems to mess things up when a user tries to log in twice without logging off, Without seeing the code.但这取决于登录页面背后的代码,当用户尝试登录两次而不注销,没有看到代码时,这些代码似乎把事情搞砸了。 I can't tell exactly where to look.我不能确切地说出在哪里看。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 阻止已登录用户的登录 - Prevent login of already logged-in user 如果用户已经登录,请重定向到其他页面 - If user is already logged in, redirect to a different page 通过使其会话无效来强制登录用户重新登录 - Force a logged in user to re-login by invalidating his session 从其他用户会话获取当前登录的用户 - Getting the Current Logged On User from a different User Session 检查用户是否已经登录 - Check if user is already logged in 如果用户已经登录 Blazor 服务器,如何将身份登录页面设置为启动页面并将用户重定向到仪表板 - How To Make Identity Login Page As Startup Page And Redirect User to Dashboard If User Is Already Logged-in In Blazor Server 如何检查用户是否已登录? - How to check if user is already logged in? 如何停止已经登录的用户使用浏览器的后退按钮再次登录? - How do I stop already logged in user to login again using back button of the browser? 用户已经登录后如何在其他帐户上登录? - How to login User on other account while he's already logged in on his? 用户已经登录后,如何重定向到未授权页面而不是登录页面? - How do I redirect to a not-authorized page instead of the login page when the user is already logged in?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM