问题标签 [cookieless]

I was trying to make my site working if browser cookies are disabled so tried with session and changed in web config with cookieless="AutoDetect" regenerateExpiredSessionId="true" in my registration form but now after filling form when i click to subim button page is again reloading and button click event is not fired.

Bob uses a web application in order to achieve something. And:

• His browser is on diet, therefore it does not support cookies.
• The web application is a popular one, it deals with a lot of users at a given moment - it has to scale well. As long as keeping session would impose a limit to the number of simultaneous connections, and, of course, will bring a non-negligible performance penalty, we might like to have a session-less system :)

Some important notes:

• we do have transport security (HTTPS and its best friends);
• behind the curtains, the web application delegates a lot of operations to external services, on current user's behalf (those systems do recognize Bob as one of their users) - this means that we have to forward them Bob's credentials.

Now, how do we authenticate Bob (on each and every request)? Which would be a reasonable way to implement such a thing?

• playing tennis with the credentials via HTML form hidden fields... the ball contains the credentials (username & password) and the two rackets are the browser and the web application respectively. In other words, we may transport data back and forth via form fields instead of via cookies. At each web request, the browser posts the credentials. Though, in the case of a single-page application, this may look like playing squash against a rubber wall, instead of playing tennis, as the web form containing the credentials might be kept alive the entire lifetime of the web page (and the server will be configured not to offer the credentials back).
• storing the username & the password in the context of the page - JavaScript variables etc. Single-page required here, IMHO.
• encrypted token - based authentication. In this case, the log-in action would result in the generation of an encrypted security token (username + password + something else). This token would be served back to the client and the upcoming requests will be accompanied by the token. Does this make sense? We already have HTTPS...
• others...
• last resort: do not do this, store credentials in the session! Session is good. With or without cookies.

Does any web / security concern come into your mind, regarding any of the previously described ideas? For example,

• time-outing - we may keep a timestamp, along with the credentials (time-stamp = the time Bob entered his credentials). E.g. when NOW - timestamp > threshold, we might deny the request.
• Cross-site scripting protection - should not be different in any way, right?

Thank you a lot for taking the time to reading this :)

我在 m.example.com 中运行我的移动网站，并创建了另一个子域来提供静态内容，即 static.example.com。

但是 static.example.com 提供 cookie 数据。

请建议。

在 Web 服务方法中启用会话，如下所示：

使用无 cookie 会话状态 (web.config)：

然后尝试从这样的客户端调用它：

您会收到一个重定向 WebException (302)，表示该对象已被移动：

Our company uses an ASP.NET webapp that I have to integrate with an external identity provider. For this, authentication traffic is in certain cases redirected to a handler which references some external library for interpreting the authentican requests from the identity provider.

So in those case where the handler code should be used for communicating with the identity provider, a redirect to it is made in the Global Application_BeginRequest. A bit like this:

Response.Redirect(tempUrl & "/auth/" & companyName & "/login.ashx")

The problem is that the session state is set as being cookieless in the root Web.Config like this:

<sessionState mode="InProc" [snip] cookieless="true" />

This means that the redirects themselves are caught and redirected again with a session id prefixed. From the login.ashx handler a request is sent to an URL at the external identity provider, which authenticates and sends its response back as a POST to the very same handler URL, namely "http://www.thesite.com/auth/somecompany/login.ahsx", however, this time without session id, of course. So again, the POST is redirected as a GET, stripping the response from its form data, so authentication cannot proceed. The request is then redirected back to identity provider in an endless loop.

So, we need to turn off cookieless sessionstate for the particular handler. We've investigated several options.

Firstly, the EnableSessionState attribute cannot, unfortunately, be used on handler page directives.

Then, we tried to change the sessionstate behavior of the request to the particular URL by catching and disabling it in Global.asax.Application_BeginRequest, like so:

HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Disabled)

That seemed to work at one stage, but not anymore and we're not sure why.

We also tried to see whether "cookieless" could be altered dynamically, but the corresponding field appears to be read-only.

We've put a separate Web.config in the "auth" folder and tried to set cookieless to true there, but that was not allowed.

We can catch the response and see whether is being redirected in Application_EndRequest and were wondering whether the redirection and session id insertion could be prevented somehow for the particular URL, but we're not sure how. Does anyone have some tips? We're running out of ideas...

这是我真正支持 SSL 的域 --> https://www.wknet.se/
这是我的无 cookie 域 --> http://cdnwknet.com/

我希望我的真实网站在设置完成后看起来像这样 --> wknet.se/?style。

在<head>我的真实站点中，我有这个 --> <link rel="stylesheet" href="http://cdnwknet.com/wk-templates/css/bootstrap.3.2.0.min.css" media="all">。如您所见，我将静态 css 文件指向我的 cookie 免费域。

我的 cookie 免费域的配置文件如下所示：

在我的真实域的 DNS 设置中，我添加了一个 CNAME，如下图所示 ---> i.stack.imgur.com/y0BkE.jpg

我正在使用 DigitalOcean 和我的真实站点，并且无 cookie 域位于同一个 Droplet（服务器）上。无 cookie 域与我的真实域具有相同的 IP 地址。

现在，我在这里缺少什么，我的 cookie 免费域配置是否正确？

如果需要更改，这是我的真实域的配置：

I have a Concrete5 site which already has a bunch of contents and I want to point the images to my cookieless domain without replacing the urls.

I created an htaccess that will redirect all images from my main site to the cookieless domain

It's actually working but YSlow doesn't seem to honor this. It's still giving me a low score on that part.

有人知道当前和下一个版本的 ASP.NET 或 ASP.NET MVC 中对 cookieless 会话的支持吗？

他们说不推荐使用无 cookie 会话（原因很清楚）并且已弃用。但我找不到任何官方确认信息，例如来自 Microsoft 网站、ASP.NET 博客、路线图或任何官方信息。

背景：为什么我需要这个： 我的应用程序可以嵌入到 iframe 中。默认情况下，Mac 上的 Safari 浏览器具有禁用第三方 cookie 的设置，因此有效地为我的应用禁用了 cookie。我不能要求每个人都允许第三方 cookie。

即使cookie被阻止，我也需要一些方法来验证请求。Jetty 和 tomcat 提供了基于查询字符串的会话，但是在我转向播放框架之后，我找不到任何关于此的信息。请让我知道是否有一种简单的方法可以让我通过手动解析查询字符串来自己管理会话。

I have a cookieless web application based on asp.net 4.5.

I access this application from a redirection, by sending the session Id in the request:

GET /WebApp/(S(stbb3233i55s0quqxs40x))/default.aspx HTTP/1.1

for some reason unknown I can't create the asp.net session and got stucked in a redirect loop. Any thoughts about how to overcome this situation?.