Why does the default ASP.NET Forms Authentication

2019-06-14 23:29发布

问题:

the default ASP.NET Forms Authentication cookie sets it's name as ".ASPXAUTH". Notice the first character is a period? Is there a particular reason for this? Like, does this have an impact on domain names or subdomains for the target domain.

Or is it purely some random thing an MS dev person came up with (maybe to help out the ordering of the cookies, when they were debugging or something .. as text with periods prolly get listed before other strings)?

回答1:

I was unable to find the "two dots" requirement that sajoshi mentioned, but I did find this on the HTTP specification rfc2109.

Domain=domain Optional. The Domain attribute specifies the domain for which the cookie is valid. An explicitly specified domain must always start with a dot.

http://www.w3.org/Protocols/rfc2109/rfc2109

The section is 4.2.2 Set-Cookie Syntax. I did not know there was a dot requirement at all before sajoshi's post, so I looked it up, but it seems that he was half right. If someone gives it a closer reading and can point out anything I've missed, please do.

Update

I did find in section 4.3.3 that

The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

(FQDN is a Fully Qualified Domain Name)

A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot

and,

Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted.

So, it seems like a Cookie domain would require at least two dots if it were basing its name on the domain name. However, the aspnet authentication cookie isn't doing this, so that's why it only requires one dot.



回答2:

The cookie in the same is completely optional and simply reduces the likelihood that you'll overwrite a different cookie that might be set by your code. The two-dot requirement is related exclusively to the domain name.



回答3:

The leading dot character is necessary. This is necessary because the HTTP specification demands that a cookies domain property must contain at least two dots.

This leads to an inconvinience if during development you want to share cookies between http://site1.localhost/ and http://site2.localhost/. To overcome this you can map site1.localhost.dev and site2.localhost.dev to 127.0.0.1 in you host file and then set the domain to .localhost.dev

Hope this helps...