【发布时间】:2017-11-13 09:23:51
【问题描述】:
我有两个使用 OWIN-MixedAuth 部署到同一服务器的 mvc 5 应用程序设置。每个应用程序都位于一个单独的文件夹中,并配置有自己的应用程序池,如下所示:
xyz.domain.com/MySiteA
xyz.domain.com/MySiteB
每个网站的配置如下
我的站点A:
<system.web>
<customErrors mode="Off"/>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<!-- Enable Mixed Auth -->
<location path="MySiteA/MixedAuth">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>`
MySiteB:
<system.web>
<customErrors mode="Off"/>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<!-- Enable Mixed Auth -->
<location path="MySiteB/MixedAuth">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>`
当用户登录一个应用程序时,即使用户不是第二个应用程序的注册用户,也会自动登录到第二个应用程序。
类似地,从一个应用程序注销会自动将用户从第二个应用程序注销。
如果我使用表单或窗口进行身份验证,就会发生这种情况。我怎样才能防止这种情况发生?
这是我在两个应用程序上的登录代码:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
// If user is already logged in
if (HttpContext.Request.IsAuthenticated)
{
return RedirectToAction("Index", "Manage");
}
ViewBag.ReturnUrl = returnUrl;
return View();
}
这就是我在 startup.auth 中的内容:
var cookieOptions = new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
};
app.UseCookieAuthentication(cookieOptions);
是否有更改 cookie 名称的选项?
【问题讨论】:
标签: asp.net-mvc authentication owin-middleware