Fatal编程技术网
  • .net/
  • .net Samesite cookie和Owin

.net Samesite cookie和Owin

.net google-chrome

.net Samesite cookie和Owin,.net,google-chrome,owin,samesite,.net,Google Chrome,Owin,Samesite,为了与Chrome80版本兼容,我们已经为OWIN应用程序实现了相同的站点cookie 我们有: 将owin升级到4.1 将.net框架定向到.net 4.7.2 它在ChromeV80测试版中运行良好。但是,在严格模式下(.\chrome.exe--enable features=SamesiteDefaultChecksMethodrigory)。它给出了以下错误: Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectP

为了与Chrome80版本兼容,我们已经为OWIN应用程序实现了相同的站点cookie

我们有:

  • 将owin升级到4.1
  • 将.net框架定向到.net 4.7.2
    • 它在ChromeV80测试版中运行良好。但是,在严格模式下(.\chrome.exe--enable features=SamesiteDefaultChecksMethodrigory)。它给出了以下错误:

    Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323:要求是“[PII被隐藏]”。 OpenIdConnectProtocolValidationContext.Nonce为null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce不为null。这个 无法验证nonce。如果不需要检查nonce,请设置 OpenIdConnectProtocolValidator.requireOnce为“false”。注意如果 如果找到“nonce”,将对其进行评估。在 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext 验证上下文)位于 Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext 验证上下文)位于 Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__9.MoveNext(

    有人遇到过这样的问题吗?

    可能是对这个问题的答复太晚了,但迟做总比不做要好:-)

    Chrome已经进行了更新和更改,以减少跨站点请求伪造(CSRF),出于安全原因,这些更改将逐步在所有浏览器上实施。 [https://blog.chromium.org/2020/05/resuming-samesite-cookie-changes-in-july.html]

    下面的补丁对我有用

  • 在webconfig中添加以下代码

    • 

    <!-- Add "SameSite=None" to any cookie which does NOT have it yet -->
<!-- currently this only works for secure https cookies -->
<rule name="Add SameSite">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>

<!-Add "Secure" to any cookie which does NOT have it yet, as long as it's HTTPS request or else a secure cookie would just be ignored->
<rule name="Add Secure">
<conditions>
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure" negate="true" />
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; Secure" />
</rule>

<!--If samesite was set to none by cookieSameSite="None",
remove it for non-https requests (currently only works for https)-->
<rule name="No SameSite For HTTP">
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<match serverVariable="RESPONSE_Set_Cookie" pattern="(.);(\s)SameSite=None" />
<action type="Rewrite" value="{R:1}" />
</rule>
</outboundRules>
</rewrite>