最近,项目上线,远程Portal端,出了点问题。怀疑是后台的Cookie没整理干净。
根据Portal端的要求,在系统Logout推出之后,将不要的Cookie值进行删除。但是压根在代码设计中没有考虑到Cookie
的相关设置。
在Chrome浏览器下,F12调试,后发现了下面两个MVC代码自动生成的Cookie。
(1): ".ASPXAUTH"
(2): "__RequestVerificationToken"
Cookie的生成由下列原代码生成。
Source Code:
FormsAuthentication.SetAuthCookie(user.UserName, user.RememberMe); => (1)
@Html.AntiForgeryToken(); =>(2)
结论:
(1)The ASPXAUTH cookie is used to determine if a user is authenticated. 客户端验证用
(2)This is an anti forgery token (prevent CSRF attack). It guarantees that the poster is the one who gets the form.
It prevents from anybody to forge a link and have it activated by a powered user. 客户端唯一使用程序内部页面
Rules in use cookies
a.Size of cookies is limited to 4096 bytes. 大小〈4K
b.Total 20 cookies can be used on a single website; if you exceed this browser will delete older cookies. 不超过〉20ge
c.End user can stop accepting cookies by browsers, so it is recommended to check the users’ state and prompt the user to enable cookies. 启动Cookie
参考文件
ASP.NET issues an entirely different cookie, named ASP.NET_SessionId, to track session state.
https://msdn.microsoft.com/en-us/library/ee920427.aspx
http://www.codeproject.com/Articles/244904/Cookies-in-ASP-NET
http://stackoverflow.com/questions/33306859/the-required-anti-forgery-cookie-requestverificationtoken-is-not-present