解密 ASP.NET Core 8 身份验证 cookie

问题描述 投票:0回答:1

ASP.NET Core 8 MVC 应用程序使用startup.cs中定义的cookie身份验证:

services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(@"Voti"));

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
        {  
            options.DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"Voti"));
            options.Cookie = new CookieBuilder()
                {
                    Name = ".EevaAuth",
                    IsEssential = true,
                    SameSite = SameSiteMode.Strict
                };
            options.LoginPath = new PathString("/Account/LogOn");
            options.ReturnUrlParameter = "returnUrl";
            options.SlidingExpiration = true;
            options.ExpireTimeSpan = TimeSpan.FromDays(30);
       });

控制器解析自己的日志文件。日志文件包含身份验证

如何手动解密 ASP.NET Core 身份验证 cookie?

http请求日志文件记录http请求。日志在标头中包含身份验证 cookie,例如

Cookie: .EevaAuth=CfDJ8ArEl-fh9A1DvMRTXwPoRF9c7eL8Jfy0__CVs5Fm_zPCFzpDmZbQFE-Y9hqt5YbWMLwJo0jL99KPOVp1xp1rTm6FOgozhmZU6yAVY7KMzNDeb1MCrp7QqzlVABXkYPo-2 nTgFDGEYTqp_2iKJ6Kb54eWFhV4tYHWCDSNdwvNWUS2R6uekt9q6nj2rz8hfA4K2uh1tAoW_NkJFfEbc8mYhOoIQrlnSv9ZUPafywn2EI2MR-33k08i-GqI6ZwU9oA7yndywhh_VwEq0 oJ-xMm0vCpJsjQdzEjdKH-gJufGy-BdHeEmpzepvTiUjPWGl3XNIHtjzxvTF_J-78oou5173BgbGqggAHCf9BeGWbZL0LTlo54etO5QbSYtRFr3P3AHWg

尝试使用代码解密 cookie 如何手动解密 ASP.NET Core 身份验证 cookie?

public string DecryptCookie()
{ 
    var provider = DataProtectionProvider.Create(new DirectoryInfo(@"Voti"));
    string cookieValue = HttpContext.Request.Cookies[".EevaAuth"];
    var dataProtector = provider.CreateProtector(
        "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", ".EevaAuth", "v2");
    UTF8Encoding specialUtf8Encoding = new UTF8Encoding(false, true);
    byte[] protectedBytes = Base64UrlTextEncoder.Decode(cookieValue);
    byte[] plainBytes = dataProtector.Unprotect(protectedBytes);
    string plainText = specialUtf8Encoding.GetString(plainBytes);
    return plainText;
}

此代码抛出异常:

System.Security.Cryptography.CryptographyException:有效负载无效。有关更多信息,请访问 https://aka.ms/aspnet/dataprotectionwarning

在 Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(字节 * pbCiphertext,UInt32 cbCiphertext,字节 * pbAdditionalAuthenticatedData,UInt32 cbAdditionalAuthenticatedData)
在 Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment

1 ciphertext, ArraySegment
1 extraAuthenticatedData)
在 Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData,布尔值allowOperationsOnRevokedKeys,UnprotectStatus& status)
在 Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
在 MyApp.Controllers.Erp.AboutController.DecryptCookie()

如何解密.NET 8 cookie?身份验证与为其他用户创建的应用程序相同

asp.net-core-mvc .net-8.0 asp.net-core-8
1个回答
0
投票
 services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
        {  
           ...

参考cookie认证,使用

CookieAuthenticationDefaults.AuthenticationScheme
设置cookie认证时,默认情况下AuthenticationScheme值设置为“Cookies”。

因此,在创建数据保护器时,我们需要使用“Cookies”方案,而不是使用“.EevaAuth”。

要解决这个问题,可以修改代码如下:

public string DecryptCookie()
{ 
    var provider = DataProtectionProvider.Create(new DirectoryInfo(@"Voti"));
    string cookieValue = HttpContext.Request.Cookies[".EevaAuth"];
    var dataProtector = provider.CreateProtector(
        "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2");  //change the AuthenticationScheme value
    UTF8Encoding specialUtf8Encoding = new UTF8Encoding(false, true);
    byte[] protectedBytes = Base64UrlTextEncoder.Decode(cookieValue);
    byte[] plainBytes = dataProtector.Unprotect(protectedBytes);
    string plainText = specialUtf8Encoding.GetString(plainBytes);
    return plainText;
}

我的样本中的结果是这样的:

test result

参考:cookie 身份验证在 ASP.NET 应用程序之间共享身份验证 cookie

© www.soinside.com 2019 - 2024. All rights reserved.