MVC6从另一个网站解密表单身份验证cookie

Question

我有一个webforms网站,正在调用我们正在开发的新MVC6网站.用户将使用表单身份验证在webforms网站上一直登录,然后重定向到新的MVC6网站.我知道在MVC6中我应该使用Cookie身份验证,但无法让它解密cookie.我怀疑它是关于web.config和machinekey的变化,但我真的被卡住了.

这就是我所做的.

我已按如下方式设置了cookie身份验证

        app.UseCookieAuthentication(options =>
        {
            options.CookieName = "MyWebformsCookie";
            options.AutomaticAuthenticate = true;
            options.AuthenticationScheme = "Cookies";
            options.TicketDataFormat = new MySecureDataFormat();
            options.DataProtectionProvider = new MyDataProtectionProvider();
            //options.CookieDomain = "localhost";
        });

课程如下

public class MySecureDataFormat : ISecureDataFormat<AuthenticationTicket>
{
    public string Protect(AuthenticationTicket data)
    {
        return string.Empty;
    }

    public string Protect(AuthenticationTicket data, string purpose)
    {
        return string.Empty;
    }

    public AuthenticationTicket Unprotect(string protectedText)
    {
        return null;
    }

    public AuthenticationTicket Unprotect(string protectedText, string purpose)
    {
        var ticket = FormsAuthentication.Decrypt(protectedText);
        return null;
    }
}

正在读取cookie,并调用Unprotect方法,但随后在FormsAuthentication.Decrypt方法上出现错误并出现错误

System.Web.dll中出现"System.Web.HttpException"类型的异常,但未在用户代码中处理

其他信息:无法验证数据.

Stack = at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt,Byte [] buf,Byte [] modifier,Int32 start,Int32 length,Boolean useValidationSymAlgo,Boolean useLegacyMode,IVType ivType,Boolean signData)at System.Web.Security .FormsAuthentication.Decrypt(String encryptedTicket)
位于Microsoft.AspNet.Authentication.Cookies的C:\ SVNCode\GlobalConnectV2\WebApplication.Mvc\Startup.cs:第153行中的WebApplication.Mvc.MySecureDataFormat.Unprotect(String protectedText,String purpose). CookieAuthenticationHandler.d__9.MoveNext()

所以这让我相信它不是阅读机器的关键.我在wwwroot文件夹中的web.config中有这个

<configuration>
  <system.webServer>
    ...
  </system.webServer>
  <system.web>
    <machineKey compatibilityMode="Framework20SP2" validation="SHA1" decryption="AES" validationKey="mykey" decryptionKey="dec" />
  </system.web>
</configuration>

这适用于早期的MVC应用程序,但猜测MVC6中发生了一些变化.我也试过以下但没有运气

    services.ConfigureDataProtection(configure =>
    {
        configure.UseCryptographicAlgorithms(new Microsoft.AspNet.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptionOptions()
        {
            EncryptionAlgorithm = Microsoft.AspNet.DataProtection.AuthenticatedEncryption.EncryptionAlgorithm.AES_256_CBC,
            ValidationAlgorithm = Microsoft.AspNet.DataProtection.AuthenticatedEncryption.ValidationAlgorithm.HMACSHA256
        });

    });

有什么建议？

Answer 1

尝试FormsAuthentication.Decrypt()在ASP.NET 5应用程序中使用时,我没有任何乐趣.

最后,我根据可用的文档编写了一个解密例程,并查看了Microsoft为系统Web提供的参考源代码.

解密使用SHA1进行验证的表单身份验证cookie以及用于加密的AES所需的类可以在我的GIST中找到:https://gist.github.com/dazinator/0cdb8e1fbf81d3ed5d44

获得这些后,您可以像以前一样创建自定义TicketFormat:

public class FormsAuthCookieTicketFormat : ISecureDataFormat<AuthenticationTicket>
{

    private LegacyFormsAuthenticationTicketEncryptor _Encryptor;
    private Sha1HashProvider _HashProvider;

    public FormsAuthCookieTicketFormat(string decryptionKey, string validationKey)
    {
        _Encryptor = new LegacyFormsAuthenticationTicketEncryptor(decryptionKey);
        _HashProvider = new Sha1HashProvider(validationKey);
    }

    public string Protect(AuthenticationTicket data)
    {
        throw new NotImplementedException();            
    }

    public string Protect(AuthenticationTicket data, string purpose)
    {
        throw new NotImplementedException();
    }

    public AuthenticationTicket Unprotect(string protectedText)
    {
        throw new NotImplementedException();
    }

    public AuthenticationTicket Unprotect(string protectedText, string purpose)
    {
        var ticket = _Encryptor.DecryptCookie(protectedText, _HashProvider);

        var identity = new ClaimsIdentity("MyCookie");
        identity.AddClaim(new Claim(ClaimTypes.Name, ticket.Name));
        identity.AddClaim(new Claim(ClaimTypes.IsPersistent, ticket.IsPersistent.ToString()));
        identity.AddClaim(new Claim(ClaimTypes.Expired, ticket.Expired.ToString()));
        identity.AddClaim(new Claim(ClaimTypes.Expiration, ticket.Expiration.ToString()));
        identity.AddClaim(new Claim(ClaimTypes.CookiePath, ticket.CookiePath));
        identity.AddClaim(new Claim(ClaimTypes.Version, ticket.Version.ToString()));           

        // Add some additional properties to the authentication ticket.
        var props = new AuthenticationProperties();
        props.ExpiresUtc = ticket.Expiration.ToUniversalTime();
        props.IsPersistent = ticket.IsPersistent;

        var principal = new ClaimsPrincipal(identity);

        var authTicket = new AuthenticationTicket(principal, props, CookieDetails.AuthenticationScheme);
        return authTicket;
    }

并将其连接起来:

var formsCookieFormat = new FormsAuthCookieTicketFormat(_DecryptionKeyText, _ValidationKeyText);

        app.UseCookieAuthentication(options =>
        {
            // shortened for brevity... 
            options.TicketDataFormat = formsCookieFormat ;
            options.CookieName = "MyCookie";                
        });