问题描述
详细内容:
的我有两个应用程序的
一个是一个简单的 HTML
应用程序,另一个是 ASP.NET MVC4的WebAPI
应用程序和项目内相同的解决方案中,我已经设置多个初创项目运行同一时间的应用程序。
One is a simple HTML
application and another one is an ASP.NET MVC4 WebApi
application and the projects are inside of same solution and i have set multiple start-up project for run the application for same time .
工作版:
我已经在Web API项目中使用的Web安全。我做了全面落实网络安全的...
I have Used Web Security in the Web API project. I did full implementation of web security...
登录行动code
// GET api/company
[System.Web.Http.AcceptVerbs("Post")]
[System.Web.Http.HttpPost]
public HttpResponseMessage Login(LoginRequest loginRequest)
{
try
{
if (WebSecurity.Login(loginRequest.EmailAddress, loginRequest.Password, true))
{
var userDetails = new string[2];
userDetails[0] = loginRequest.EmailAddress;
var currentUSerRole = Roles.GetRolesForUser(loginRequest.EmailAddress);
userDetails[1] = currentUSerRole[0].ToString();
HttpResponseMessage response =
Request.CreateResponse(HttpStatusCode.Accepted, userDetails);
return response;
}
else
{
HttpResponseMessage response
= Request.CreateResponse(HttpStatusCode.Unauthorized);
return response;
}
}
catch (Exception e)
{
HttpResponseMessage response
= Request.CreateResponse(HttpStatusCode.Unauthorized);
return response;
}
}
* WebSecurity.Login *
正在所有的浏览器,当我使用调用登录方法阿贾克斯
。
但我在另一个控制器的另一种方法,即命名为 CurrentDateAndUser
*WebSecurity.Login*
is working on all browsers when i call the login method using Ajax
.But I have another method in another controller, That named as CurrentDateAndUser
code:
[AllowAnonymous]
[System.Web.Http.AcceptVerbs("Get")]
[System.Web.Http.HttpGet]
public HttpResponseMessage CurrentDateAndUser()
{
if (WebSecurity.IsAuthenticated)
{
int userId = WebSecurity.CurrentUserId;
string[] currentDateAndUSerId = new string[2];
currentDateAndUSerId[0] = userId.ToString();
currentDateAndUSerId[1] = DateTime.UtcNow.ToString();
HttpResponseMessage response =
Request.CreateResponse(HttpStatusCode.Accepted, currentDateAndUSerId);
return response;
}
HttpResponseMessage responseNew =
Request.CreateResponse(HttpStatusCode.NotAcceptable);
return responseNew;
}
问题:
- 如果我打电话从Microsoft Internet Explorer使用Ajax调用
CurrentDateAndUser
方法,然后一切正常。在WebSecurity.IsAuthenticated
返回true,并且运作良好。
- If I call the
CurrentDateAndUser
method from Microsoft Internet Explorer Using an Ajax call, then everything works. TheWebSecurity.IsAuthenticated
returns true and is working well.
的然而的
- 如果我把从谷歌浏览器或Mozilla Firefox使用Ajax调用
CurrentDateAndUser
方法,那么没有什么作品。在WebSecurity.IsAuthenticated
始终返回false。
- If I call the
CurrentDateAndUser
method from Google Chrome Or Mozilla Firefox using an Ajax call, then nothing works. TheWebSecurity.IsAuthenticated
always returns false.
的我不知道为什么。如果你有任何想法,那么请让我知道。的
的我也发现了类似的问题(不知道这是一个真正的问题):的
当我使用Fiddler运行我的申请,我看到一个不同的结果:
When I run my application with Fiddler, I see a different result:
当我打电话从IE中的 CurrentDateAndUser
方法,请求为:
When i call the CurrentDateAndUser
method from IE, the request is:
我可以看到库克/上述图像登录值
I can see the Cooke/Login values in above image
但是,当我打电话从Chrome和Firefox的 CurrentDateAndUser
方法,请求为:
But When i call the CurrentDateAndUser
method from Chrome And Firefox , the request is:
我看不到Cookie值,这意味着网络Security.IsAuthenticated
属性返回假
。
I can't see the cookie values, meaning that the Web Security.IsAuthenticated
property is returning false
.
它是错误的 WebSecurity
?????
Is it Bug in WebSecurity
?????
我的Ajax请求code是
function GetCurrentUserId() {
return $.ajax({
method: 'GET',
url: rootUrl + '/api/Common/CurrentDateAndUser',
async: false
}).success(function (response) {
return response[0];
}).error(function () {
toastr.error('Somthing is wrong', 'Error');
})
}
的此请求当我运行在Chrome和Firefox的应用程序不发送验证Cookie值的Web API的方法,但是,这个请求发送cookie值到API的方法,如果在IE 运行EM>
我已经发布了图片,请在上面的图片来看看
推荐答案
这个问题是不是与网络安全可言,它与您实现您的安全的方式。你不应该使用用户ID,电子邮件或任何在饼干很重要的。
The issue is not with web security at all, it's with the way you implement your security. You should never be using a userid, email, or anything important in the cookies.
我会建议你使用 FormsAuthentication
类加密和解密你的cookies,即使如此,单店的东西,如的SessionID加上会话ID的自定义哈希验证你的自我,当你解密的cookie
I would suggest you use the FormsAuthentication
class to encrypt and decrypt your cookies, and even so, only store something such as the SessionID plus a custom hash of that session ID to verify your self when you decrypt the cookie
下面是一个给人以pretty很好的例子,一个网站的
Here is a site that gives a pretty good example: http://www.c-sharpcorner.com/uploadfile/nipuntomar/update-formsauthenticationticket/
这篇关于网络安全在IE VS Chrome浏览器和火狐(错误)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!