0
我已經能夠繼承DefaultTokenReplayCache並使其在我的MVC應用程序中工作。這可以正確檢測由IDid向Fiddler重播的令牌,或者按下後退箭頭並重新提交。即使在WIF中實現DefaultTokenReplayCache之後,令牌重播仍然是可能的
我現在的目的是在FedAuth cookie存在並且該會話已經退出時防止緩存重播。
例如:
DefaultTokenReplayCache正確地確定每當這個響應被重放:
POST http://127.0.0.1:2600/Account/SignIn HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 6679
Host: 127.0.0.1:2600
Pragma: no-cache
wa=wsignin1.0&wresult=%3Ct%3ARequest .....
然而,如果我登出,下面會話可以重放
GET http://127.0.0.1:2600/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; MS-RTC EA 2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: 127.0.0.1:2600
Pragma: no-cache
Cookie: FedAuth=77u/PD94bWwgd......
問題
如何確保一旦該會話已經退出,WIF將不再允許特定的FedAuth cookie?
我做的事情完全按照你的描述,是的,餅乾被清除,但它是可以按後退箭頭在我的亭瀏覽器(或乾脆使用Fiddler重播)並且簽出的會話再次變爲活動/有效。我認爲問題在於我需要驗證活動的FedAuth cookie並禁止「關閉」會話 – LamonteCristo