在发送到浏览器之前,.NET Core 对我的自定义 ITicketStore 实现返回的键值做了什么?
What is .NET Core doing to the Key value returned by my custom ITicketStore implementation before it's sent to the browser?
我在 .NET Core 中实现了自己的 ITicketStore 实现,它处理在 redis 数据库中存储会话 cookie。我的钥匙是一个简单的 guid:
public async Task<string> StoreAsync(AuthenticationTicket ticket)
{
var log = new StringWriter();
var guid = Guid.NewGuid();
var key = "MyCustomCache"+ guid.ToString();
await RenewAsync(key, ticket);
return key;
}
public Task RenewAsync(string key, AuthenticationTicket ticket)
{
var options = new DistributedCacheEntryOptions();
var expiresUtc = ticket.Properties.ExpiresUtc;
if (expiresUtc.HasValue)
{
options.SetAbsoluteExpiration(expiresUtc.Value);
}
byte[] val = SerializeToBytes(ticket);
_cache.Set(key, val, options);
return Task.FromResult(0);
}
但是在浏览器中,当我检查 cookie 的值时,它似乎 encoded/encrypted 不知何故(而不是我生成的 guid):
当 cookie 传递到我的应用程序时,我注意到它已转换回我在 StoreAsync 中创建的原始值:
public Task<AuthenticationTicket> RetrieveAsync(string key)
{
// Key passed in here will not be the value in the image above. Instead it will be what was
// generated in StoreAsync
AuthenticationTicket ticket;
byte[] bytes = null;
bytes = _cache.Get(key);
ticket = DeserializeFromBytes(bytes);
return Task.FromResult(ticket);
}
.NET Core 对我 encrypt/encode 密钥的密钥到底做了什么?这会影响我对应用程序进行负载平衡的能力吗?我知道在默认会话存储机制中,.NET Core 使用每台机器的动态密钥加密会话 cookie。
身份验证 cookie 正在使用默认数据保护进行加密。
这是将密钥添加到 cookie (source) 的位置:
if (Options.SessionStore != null)
{
if (_sessionKey != null)
{
await Options.SessionStore.RemoveAsync(_sessionKey);
}
_sessionKey = await Options.SessionStore.StoreAsync(ticket);
var principal = new ClaimsPrincipal(
new ClaimsIdentity(
new[] { new Claim(SessionIdClaim, _sessionKey, ClaimValueTypes.String, Options.ClaimsIssuer) },
Options.ClaimsIssuer));
ticket = new AuthenticationTicket(principal, null, Scheme.Name);
}
var cookieValue = Options.TicketDataFormat.Protect(ticket, GetTlsTokenBinding());
切换到 SessionStore 时,会话密钥只是作为声明添加,然后 cookie 受到保护。
我在 .NET Core 中实现了自己的 ITicketStore 实现,它处理在 redis 数据库中存储会话 cookie。我的钥匙是一个简单的 guid:
public async Task<string> StoreAsync(AuthenticationTicket ticket)
{
var log = new StringWriter();
var guid = Guid.NewGuid();
var key = "MyCustomCache"+ guid.ToString();
await RenewAsync(key, ticket);
return key;
}
public Task RenewAsync(string key, AuthenticationTicket ticket)
{
var options = new DistributedCacheEntryOptions();
var expiresUtc = ticket.Properties.ExpiresUtc;
if (expiresUtc.HasValue)
{
options.SetAbsoluteExpiration(expiresUtc.Value);
}
byte[] val = SerializeToBytes(ticket);
_cache.Set(key, val, options);
return Task.FromResult(0);
}
但是在浏览器中,当我检查 cookie 的值时,它似乎 encoded/encrypted 不知何故(而不是我生成的 guid):
当 cookie 传递到我的应用程序时,我注意到它已转换回我在 StoreAsync 中创建的原始值:
public Task<AuthenticationTicket> RetrieveAsync(string key)
{
// Key passed in here will not be the value in the image above. Instead it will be what was
// generated in StoreAsync
AuthenticationTicket ticket;
byte[] bytes = null;
bytes = _cache.Get(key);
ticket = DeserializeFromBytes(bytes);
return Task.FromResult(ticket);
}
.NET Core 对我 encrypt/encode 密钥的密钥到底做了什么?这会影响我对应用程序进行负载平衡的能力吗?我知道在默认会话存储机制中,.NET Core 使用每台机器的动态密钥加密会话 cookie。
身份验证 cookie 正在使用默认数据保护进行加密。
这是将密钥添加到 cookie (source) 的位置:
if (Options.SessionStore != null)
{
if (_sessionKey != null)
{
await Options.SessionStore.RemoveAsync(_sessionKey);
}
_sessionKey = await Options.SessionStore.StoreAsync(ticket);
var principal = new ClaimsPrincipal(
new ClaimsIdentity(
new[] { new Claim(SessionIdClaim, _sessionKey, ClaimValueTypes.String, Options.ClaimsIssuer) },
Options.ClaimsIssuer));
ticket = new AuthenticationTicket(principal, null, Scheme.Name);
}
var cookieValue = Options.TicketDataFormat.Protect(ticket, GetTlsTokenBinding());
切换到 SessionStore 时,会话密钥只是作为声明添加,然后 cookie 受到保护。