我一直在试图找到一个明确的答案,为什么我看到这种行为。我用的是微软的ASP。NET身份模板项目,只是看看如何身份,OWIN等工作。我注意到每次我提出请求时(去联系、管理等)。我的AspNet。ApplicationCookie有一个不同的加密字符串(当在Chrome或IE上使用开发人员工具时)。起初我认为这可能是因为我没有为用户添加任何声明,但我尝试添加一些声明,仍然看到相同的行为。有人知道为什么吗?是否只是加密的cookie发生了变化,因为OWIN中间件对cookie进行了加密?如有任何帮助,不胜感激。
我读https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
和http://tech.trailmax.info/2014/08/aspnet-identity-cookie-format/
,但都没有真正解释为什么我可能会看到我所看到的行为。再次感谢大家。
更新:这是我的startup.Auth.cs
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
LogoutPath = new PathString("/Account/LogOff"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
});
//app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// these two lines of code are needed if you are using any of the external authentication middleware
app.Properties["Microsoft.Owin.Security.Constants.DefaultSignInAsAuthenticationType"] = "ExternalCookie";
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "ExternalCookie",
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
});
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
}
您的问题与validateInterval: TimeSpan.FromMinutes(0),一致,这里您有效地说"在每个请求上重新生成cookie"-这是针对安全印章更改时全局cookie无效。
将validateInterval设置为几分钟-您不会在每个请求中获得cookie无效,只有每隔几分钟您设置为