本文讨论了使用ASP.NET 4.0进行表单认证时遇到的问题,特别是当使用Internet Explorer 11时。由于IE11的用户代理字符串被设计为避免传统的浏览器嗅探逻辑,这导致了ASP.NET服务器忽略了IE11发送的认证Cookie。通过设置cookieless属性为UseCookies解决了此问题,并且安装了针对.NET 4.0的补丁。
As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or a new version of an existing browser is released. Unfortunately because ASP.NET also contains browser-specific code, the new Internet Explorer 11 may cause some problems there as well.
Lucky coincidence, that one day after my previous post Eric Lawrence published an articleabout IE11 and User-Agent sniffing. Some interesting facts from his article:
- The IE team deliberately designed the UA string to cause most sniffing logic to interpret it either Gecko or WebKit and not as previous IE version.
- During the summer the ASP.NET team published a set of patches to fix the IE11 issues in earlier .NET versions. For example KB2836939 is for .NET 4.0, and you can find more links in Eric’s article.
The issue we experienced was on an older server that was running ASP.NET 4.0. IE11 sent the forms authentication cookie to the server, but the server completely ignored it. In theweb.config file the forms element didn’t contain the cookieless attribute, because the default UseDeviceProfile worked perfectly before, however now we had to set it toUseCookies to make the authentication work with IE11 as well.
The patch mentioned earlier was not installed on this server, and we have not seen similar issues on .NET 4.5.
By the way setting cookieless="UseCookies" explicitly is a good security practice.
原文地址:http://gyorgybalassy.wordpress.com/2013/09/23/aspnet-40-forms-authentication-issues-with-ie11/
扫一扫
23
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
