根据浏览器有条件地设置 ASP.NET 会话和身份验证 cookie samesite 值
Condtionally set ASP.NET session and authentication cookies samesite value based on browsers
我对我的 web.config 进行了以下更改,我能够使用 samesite=none 和安全地为身份验证和会话 cookie 服务器提供服务。
问题是浏览器如 chrome 51-66 发送 samesite=none 使 cookie 无效,然后用户没有会话并且无法登录。
https://www.chromium.org/updates/same-site/incompatible-clients
有没有一种方法可以扩展创建这些 cookie 的 类 或其他一些方法来根据 browser/useragent
有条件地设置 samesite 参数
<system.web>
<httpCookies sameSite="None"/>
<sessionState cookieSameSite="None" />
<authentication mode="Forms">
<forms cookieSameSite="None" />
</authentication>
虽然不是一个完整的解决方案(因为在我的用例中它只涵盖会话 cookie,我手动设置了表单身份验证 cookie),但我在我的 MVC5 应用程序中实现了以下内容来处理 SameSite
属性:
在Global.asax.cs
protected void Session_Start(object sender, EventArgs e)
{
var cookie = Response.Cookies["ASP.NET_SessionId"];
if (cookie != null)
cookie.SameSite = SameSiteCookieUtils.GetSameSiteMode(Request.UserAgent, SameSiteMode.None);
}
// Ref https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers
public static class SameSiteCookieUtils
{
/// <summary>
/// -1 defines the unspecified value, which tells ASPNET to not send the SameSite attribute
/// </summary>
public const SameSiteMode Unspecified = (SameSiteMode) (-1);
public static SameSiteMode GetSameSiteMode(string userAgent, SameSiteMode mode)
{
if (string.IsNullOrWhiteSpace(userAgent))
return mode;
if (mode == SameSiteMode.None && DisallowsSameSiteNone(userAgent))
return Unspecified;
return mode;
}
public static bool DisallowsSameSiteNone(string userAgent)
{
// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
userAgent.Contains("iPad; CPU OS 12"))
{
return true;
}
// Cover Mac OS X based browsers that use the Mac OS networking stack.
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
}
// Cover Chrome 50-69, because some versions are broken by SameSite=None,
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}
return false;
}
}
使用来自 Microsoft 文档的 DisallowsSameSiteNone
逻辑 https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers
我也在我的web.config
中设置了以下内容
<httpCookies httpOnlyCookies="true" requireSSL="true" />
希望其中一些对你有用
我对我的 web.config 进行了以下更改,我能够使用 samesite=none 和安全地为身份验证和会话 cookie 服务器提供服务。
问题是浏览器如 chrome 51-66 发送 samesite=none 使 cookie 无效,然后用户没有会话并且无法登录。 https://www.chromium.org/updates/same-site/incompatible-clients
有没有一种方法可以扩展创建这些 cookie 的 类 或其他一些方法来根据 browser/useragent
有条件地设置 samesite 参数<system.web>
<httpCookies sameSite="None"/>
<sessionState cookieSameSite="None" />
<authentication mode="Forms">
<forms cookieSameSite="None" />
</authentication>
虽然不是一个完整的解决方案(因为在我的用例中它只涵盖会话 cookie,我手动设置了表单身份验证 cookie),但我在我的 MVC5 应用程序中实现了以下内容来处理 SameSite
属性:
在Global.asax.cs
protected void Session_Start(object sender, EventArgs e)
{
var cookie = Response.Cookies["ASP.NET_SessionId"];
if (cookie != null)
cookie.SameSite = SameSiteCookieUtils.GetSameSiteMode(Request.UserAgent, SameSiteMode.None);
}
// Ref https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers
public static class SameSiteCookieUtils
{
/// <summary>
/// -1 defines the unspecified value, which tells ASPNET to not send the SameSite attribute
/// </summary>
public const SameSiteMode Unspecified = (SameSiteMode) (-1);
public static SameSiteMode GetSameSiteMode(string userAgent, SameSiteMode mode)
{
if (string.IsNullOrWhiteSpace(userAgent))
return mode;
if (mode == SameSiteMode.None && DisallowsSameSiteNone(userAgent))
return Unspecified;
return mode;
}
public static bool DisallowsSameSiteNone(string userAgent)
{
// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
userAgent.Contains("iPad; CPU OS 12"))
{
return true;
}
// Cover Mac OS X based browsers that use the Mac OS networking stack.
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
}
// Cover Chrome 50-69, because some versions are broken by SameSite=None,
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}
return false;
}
}
使用来自 Microsoft 文档的 DisallowsSameSiteNone
逻辑 https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1#supporting-older-browsers
我也在我的web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" />
希望其中一些对你有用