天天看点

[ASP.NET Core 3.1]浏览器嗅探解决部分浏览器丢失Cookie问题

[ASP.NET Core 3.1]浏览器嗅探解决部分浏览器丢失Cookie问题

看了前文的同学们应该都知道,搜狗、360等浏览器在单点登录中反复重定向,最终失败报错。

原因在于,非Chrome80+浏览器不识别Cookie上的SameSite=none属性值,导致认证Cookie在后续请求中被抛弃。

截至2020/3/30号,非Chrome浏览器测试包含两种结果:

case1:可设置cookie的samesite=none, 浏览器可读取该cookie

case2:对cookie设置samesite=none, 浏览器不能读取该cokie

浏览器 最新版本号 结果 备注

IE 11 case1 win10

Edge 44.18362.449.0 case1 2020/2/15开始使用chrome内核/70.0.3538.102

Firefox 74 case1

360急速浏览器 12.0.1190.0 case1 基于chromium78

搜狗浏览器 8.6.1.31812 case2 User-Agent: Chrome/65.0.3314.0

猎豹安全浏览器 6.5.115 case2 User-Agent:Chrome/57.0.2987.98

QQ浏览器 10.5.3 case1 chromium 70

华为手机浏览器 10.0.6.304 case1

魅族手机浏览器 8.5.1 case2

嗯,我之前报的360急速浏览器在新版已经更新了Chrome内核,作为主流的搜狗和猎豹浏览器还是使用旧版本Chrome内核,这是要闹哪样?

如果Web应用程序打算支持旧内核浏览器,则需要实现浏览器嗅探。

ASP.NET Core不会帮你实现浏览器嗅探,因为User-Agents值易变且经常更改。

但是Microsoft.AspNetCore.CookiePolicy中的扩展点允许插入浏览器嗅探逻辑。

在Startup.Configure中,在调用UseAuthentication或任何写入cookie的方法之前添加调用UseCookiePolicy的代码:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

{

if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}
else
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();           

// 表示ASP.NET Core 启动Cookie策略

app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapRazorPages();
});           

}

在Startup.ConfigureServices, 添加Cookie的策略配置代码:

public void ConfigureServices(IServiceCollection services)

services.Configure<CookiePolicyOptions>(options =>
{
    options.MinimumSameSitePolicy = (SameSiteMode)(-1);
    options.OnAppendCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
    options.OnDeleteCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});

services.AddRazorPages();           

private void CheckSameSite(HttpContext httpContext, CookieOptions options)

if (options.SameSite == SameSiteMode.None)
{
    var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
    if (MyUserAgentDetectionLib.DisallowsSameSiteNone(userAgent))
    {
        options.SameSite = SameSiteMode.Unspecified;
    }

}           

上面的例子中,MyUserAgentDetectionLib.DisallowsSameSiteNone 是一个自定义的库文件,侦测不支持SameSite=None的UserAgent。

ASP.NET Core3.1 对与SameSiteMode新增了一个 Unspecified枚举值,表示服务端不会对Cookie设置SameSite属性值, 后面的携带Cookie的事情交给浏览器默认配置。

具体的侦测代码如下:

public static bool DisallowsSameSiteNone(string userAgent)

// Check if a null or empty string has been passed in, since this
// will cause further interrogation of the useragent to fail.
 if (String.IsNullOrWhiteSpace(userAgent))
    return false;

// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
    userAgent.Contains("iPad; CPU OS 12"))
{
    return true;
}

// Cover Mac OS X based browsers that use the Mac OS networking stack. 
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
    userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
    return true;
}

// Cover Chrome 50-69, because some versions are broken by SameSite=None, 
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions, 
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
    return true;
}

return false;           

总结

本文实战演示在ASP.NET Core扩展点插入浏览器嗅探逻辑,解决设备不支持cookie SameSite=none的历史问题.

https://www.chromium.org/updates/same-site/incompatible-clients

原文地址

https://www.cnblogs.com/JulianHuang/p/12596115.html

继续阅读