如何更改 OpenID Connect 中间件(随机数和相关性)cookie 的默认名称
How to change default name of OpenID Connect middleware (nonce and correlation) cookies
我正在使用两个 ASP.NET 核心中间件进行 OpenID Connect 和 cookie 身份验证,如下所示:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "cookie",
CookieName = "clientcookiename",
CookieHttpOnly = true,
CookieSecure = _hostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always,
AutomaticAuthenticate = true,
AutomaticChallenge = false,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
var oidcOptions = new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookie",
...
};
app.UseOpenIdConnectAuthentication(oidcOptions);
在 Web 应用程序中登录期间,这会导致一些与 nonce 和相关性相关的默认 cookie,如下所示(从我的浏览器开发人员工具导出):
{
"domain": "localhost",
"expirationDate": 1478762475.872038,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.OpenIdConnect.Nonce.CfDJ...ihRRfQid0Rw",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 1
},
{
"domain": "localhost",
"expirationDate": 1478762474.872093,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.Correlation.oidc.Apx...XlCFhuc...Hcq8",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 2
}
- 这些 cookie 的职责是什么?
- 我们如何更改这些 cookie 的 CookieName?
- 更改这些 cookie 的 CookieName 会对其他地方产生任何影响吗?
What are the responsibility of these cookies?
相关cookie和nonce cookie分别用于防止XSRF/session固定攻击和重放攻击。它们是 OpenID Connect 中间件使用的安全检查的重要组成部分。
How do we change the CookieName of these cookies?
你不能。在这两种情况下,cookie 名称都是不可配置的(它的前缀是硬编码部分)。
相关代码可以在这里找到:
oidcOptions.NonceCookie = new CookieBuilder()
{
Name = "TheNonceCookieName"
};
仅设置 cookie 名称不适用于 Asp.Net Core 2.0。我还必须设置其他属性:
// https://github.com/aspnet/Security/blob/release/2.0/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs#L26
options.CorrelationCookie = new Http.CookieBuilder()
{
Name = "my_correlation_cookie",
HttpOnly = true,
SameSite = SameSiteMode.None,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = new TimeSpan(0, 15, 0)
};
// https://github.com/aspnet/Security/blob/release/2.0/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs#L71
options.NonceCookie = new Http.CookieBuilder()
{
Name = "my_nonce_cookie",
HttpOnly = true,
SameSite = SameSiteMode.None,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = new TimeSpan(0, 15, 0)
};
我正在使用两个 ASP.NET 核心中间件进行 OpenID Connect 和 cookie 身份验证,如下所示:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "cookie",
CookieName = "clientcookiename",
CookieHttpOnly = true,
CookieSecure = _hostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always,
AutomaticAuthenticate = true,
AutomaticChallenge = false,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
var oidcOptions = new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookie",
...
};
app.UseOpenIdConnectAuthentication(oidcOptions);
在 Web 应用程序中登录期间,这会导致一些与 nonce 和相关性相关的默认 cookie,如下所示(从我的浏览器开发人员工具导出):
{
"domain": "localhost",
"expirationDate": 1478762475.872038,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.OpenIdConnect.Nonce.CfDJ...ihRRfQid0Rw",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 1
},
{
"domain": "localhost",
"expirationDate": 1478762474.872093,
"hostOnly": true,
"httpOnly": true,
"name": ".AspNetCore.Correlation.oidc.Apx...XlCFhuc...Hcq8",
"path": "/",
"sameSite": "no_restriction",
"secure": false,
"session": false,
"storeId": "0",
"value": "N",
"id": 2
}
- 这些 cookie 的职责是什么?
- 我们如何更改这些 cookie 的 CookieName?
- 更改这些 cookie 的 CookieName 会对其他地方产生任何影响吗?
What are the responsibility of these cookies?
相关cookie和nonce cookie分别用于防止XSRF/session固定攻击和重放攻击。它们是 OpenID Connect 中间件使用的安全检查的重要组成部分。
How do we change the CookieName of these cookies?
你不能。在这两种情况下,cookie 名称都是不可配置的(它的前缀是硬编码部分)。
相关代码可以在这里找到:
oidcOptions.NonceCookie = new CookieBuilder()
{
Name = "TheNonceCookieName"
};
仅设置 cookie 名称不适用于 Asp.Net Core 2.0。我还必须设置其他属性:
// https://github.com/aspnet/Security/blob/release/2.0/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationOptions.cs#L26
options.CorrelationCookie = new Http.CookieBuilder()
{
Name = "my_correlation_cookie",
HttpOnly = true,
SameSite = SameSiteMode.None,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = new TimeSpan(0, 15, 0)
};
// https://github.com/aspnet/Security/blob/release/2.0/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs#L71
options.NonceCookie = new Http.CookieBuilder()
{
Name = "my_nonce_cookie",
HttpOnly = true,
SameSite = SameSiteMode.None,
SecurePolicy = CookieSecurePolicy.SameAsRequest,
Expiration = new TimeSpan(0, 15, 0)
};