Why does httpRuntime targetFramework=“4.5” disable

2019-02-18 05:49发布

问题:

When my web.config has the below httpRuntime, my controller cannot grab the cookie .ASPXAUTH. It seems to be able to grab any other cookie, with or without the period prefix. If I delete the below line, it works fine.

<httpRuntime targetFramework="4.5"/>

I'm using the following to grab the cookie.

HttpCookie authCookie = Request.Cookies[".ASPXAUTH"];

Why can't I grab the Forms Authentication cookie?

回答1:

I had similar problem - my app with runtime 4.5 was unable to read an .ASPXAUTH cookie created by another /login/ app that was running under 4.0, causing a redirect loop. Turns out 4.5 introduces some cryptography improvements that could be enabled by setting the following in web.config:

Cause:

<machineKey compatibilityMode="Framework45" />

or

<httpRuntime targetFramework="4.5" />

https://blogs.msdn.microsoft.com/webdev/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2/1

Solution: In my case (many other 4.0 apps relied on the cookie) the solution was to switch my new app to use:

<machineKey compatibilityMode="Framework20SP1" validationKey="..shared with login app, along with decryptionKey etc...">

or

remove the <httpRuntime /> element

Of course this is only a workaround and I am going to update all my apps to the more secure 4.5 authentication ASAP.