[ASP.NET Core 3.1]瀏覽器嗅探解決部分瀏覽器丟失Cookie問題
阿新 • • 發佈:2020-03-30
> 今天的乾貨長驅直入,直奔主題
看了前文的同學們應該都知道,搜狗、360等瀏覽器在單點登入中反覆重定向,最終失敗報錯。
原因在於,非Chrome80+瀏覽器不識別Cookie上的`SameSite=none`屬性值,導致認證Cookie在後續請求中被拋棄。
截至2020/3/30號,非Chrome瀏覽器測試包含兩種結果:
- case1:可設定cookie的samesite=none, 瀏覽器可讀取該cookie
- case2:對cookie設定samesite=none, 瀏覽器不能讀取該cokie
瀏覽器| 最新版本號| 結果| 備註
---|---|---|---
IE |11 | case1| win10
Edge | 44.18362.449.0 |case1 | 2020/2/15開始使用chrome核心/70.0.3538.102
Firefox | 74 |case1|
360急速瀏覽器 | 12.0.1190.0|case1 | 基於chromium78
搜狗瀏覽器 | 8.6.1.31812 |case2 | User-Agent: Chrome/65.0.3314.0
獵豹安全瀏覽器 | 6.5.115|case2 | User-Agent:Chrome/57.0.2987.98
QQ瀏覽器 | 10.5.3 |case1 | chromium 70
華為手機瀏覽器 | 10.0.6.304|case1|
魅族手機瀏覽器 | 8.5.1|case2|
> 嗯,我之前報的360急速瀏覽器在新版已經更新了Chrome核心,作為主流的搜狗和獵豹瀏覽器還是使用舊版本Chrome核心,這是要鬧哪樣?
如果Web應用程式打算`支援舊核心瀏覽器,則需要實現瀏覽器嗅探`。
ASP.NET Core不會幫你實現瀏覽器嗅探,因為User-Agents值易變且經常更改。
但是Microsoft.AspNetCore.CookiePolicy中的擴充套件點允許插入瀏覽器嗅探邏輯。
在Startup.Configure中,**在呼叫UseAuthentication或任何寫入cookie的方法之前新增呼叫UseCookiePolicy的程式碼**:
```
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
// 表示ASP.NET Core 啟動Cookie策略
app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
});
}
```
在Startup.ConfigureServices, 新增Cookie的策略配置程式碼:
```
public void ConfigureServices(IServiceCollection services)
{
services.Configure(options =>
{
options.MinimumSameSitePolicy = (SameSiteMode)(-1);
options.OnAppendCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext =>
CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
services.AddRazorPages();
}
private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{
if (options.SameSite == SameSiteMode.None)
{
var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
if (MyUserAgentDetectionLib.DisallowsSameSiteNone(userAgent))
{
options.SameSite = SameSiteMode.Unspecified;
}
}
}
```
上面的例子中,`MyUserAgentDetectionLib.DisallowsSameSiteNone` 是一個自定義的庫檔案,偵測不支援`SameSite=None`的UserAgent。
> ASP.NET Core3.1 對與SameSiteMode新增了一個 Unspecified列舉值,表示服務端不會對Cookie設定SameSite屬性值, 後面的攜帶Cookie的事情交給瀏覽器預設配置。
具體的偵測程式碼如下:
```
public static bool DisallowsSameSiteNone(string userAgent)
{
// Check if a null or empty string has been passed in, since this
// will cause further interrogation of the useragent to fail.
if (String.IsNullOrWhiteSpace(userAgent))
return false;
// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
userAgent.Contains("iPad; CPU OS 12"))
{
return true;
}
// Cover Mac OS X based browsers that use the Mac OS networking stack.
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
return true;
}
// Cover Chrome 50-69, because some versions are broken by SameSite=None,
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions,
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
return true;
}
return false;
}
```
### 總結
本文實戰演示在ASP.NET Core擴充套件點插入瀏覽器嗅探邏輯,解決裝置不支援cookie SameSite=none的歷史問題.
- https://www.chromium.org/updates/same-site/incompatible