Form Verification cookieless attribute in Asp.net 2.0

When I was just washing my clothes, I suddenly encountered a problem when I was doing form verification for the WAP program today. In mobile device simulators that do not support cookies, I could not perform Form Verification normally, I think that I used Web yesterday. "cannot use a leading .. to exit abve the top directory "exception, naturally I think of a site exception that plagued me for a long time ago, cannot use the leading .. exit (cannot use a leading .. to exit abve the top directory ). After a comprehensive analysis, I finally understood why such an exception occurs and why the original cookieless attribute can only be set to true | false in Asp.net 2.0, you can set the enumerated values of httpcookiemode:Autodetect,Usecookies,Usedeviceprofile,Useuri.

If you have experience in Form Verification, you may know that You can save the current sessionid and user verification ticket information in two ways, the current sessionid and user authentication ticket information are identified by using cookies and a string encoded on the URL address. The first method is very common. For the use of URI to identify the current sessionid and verify the ticket, I believe that if it is not a special need, I believe many people will not be able to understand it as well as I do. I made two simple pages to simulate the user verification process. When I set cookieless = "autodetect" in Web. config, the login URL is as follows:

HTTP: /localhost: 1115/formsauthentication/security/default. aspx

When cookieless = "useuri" is set, the URL becomes:

Http: // localhost: 1115/formsauthentication/(f (V0-gEZNEzXUqevbOqKwNoBcMf6vBWnyNbdpa2UhZzrfOUkGPvyB91-9nFlnBDmCAgdpz4gJ6kq-QOVjbNsvKig2)/security/default. aspx

A level-1 directory is added to the site directory. The value here is the verification ticket information and sessionid information of the current user. In some cases, this is very meaningful (or mandatory), because in a cookie environment that does not support, you need to identify whether a session belongs to the same session, whether the current user has been verified, and so on, it will become abnormal when it is related to session information.

After learning about the two methods of saving session information, let's discuss why Asp.net team can only set the true/false attribute to a different enumerated value. first, let's take a look at the meanings of these four values (in Windows Live writer, tables cannot be drawn: <):

Autodetect: Automatically detect the clientActualWhether or not cookie is supported determines which of the two methods is used (best fit ).

Usecookies: Whether or not the client supports cookies, they are identified by cookies (the first method ).

Usedeviceprofile: Determine whether the cookie is supported based on the device file, and then decide the method to use. I believe many people are vague about this concept. Due to the recent research on WAP, I have some simple understandings of it. In <% WINDIR %> Microsoft. net \ framework \ v2.0.50727 \ config \ browsers directory contains many. browser files, which are used to identify the browsing capability of the corresponding device (browser) (the description is not very clear, that is, some technical parameters, whether the cookie and so on are supported). In Asp.net, based on these. the Browser file dynamically generates the device parameter types inherited from httpbrowsercapabilities, and identifies some parameter values of the corresponding device. You can use the request in programming. browser to obtain the device parameter object and use it.

Useuri: AndUsecookiesSimilarly, the second method is used regardless of whether the client supports cookies.

Special note: Why do we emphasize "reality" and detailed descriptions?UsedeviceprofileWhat about it? This is mainly because I found that the parameters identified in the device file do not exactly match those of the corresponding device. (For example, it is possible that the devices identified in the device file support cookies, but the actual device does not support it ). Therefore, if you want to select whether to use cookies based on the actual situation of the device, you need to use the autodetect value. The device file can only be used as a reference. Of course, if you have sufficient control conditions for the device file, it is another matter. Pay special attention to the following points,Autodetect is not the default value,UsedeviceprofileYes.

Back to the question, why should we change the optional value of the cookieless attribute? There is no doubt that it is to increase the manageability of the program. The original value is a bit too single, two choose one, there is no room for discussion. Now we can make the program dynamic or manually selected by programmers based on different situations. In combination with the WAP development experience of this period of time, I think the purpose of this is to better be compatible with mobile devices and WAP applications. Currently, many devices do not support cookies.

With the above introduction, I want to find out why the "cannot use a leading... to exit the above top directory" exception occurs. I also received a letter from a friend a few days ago. I also encountered this problem when I used communityserver 2.0. (I believe the most common problem was the communityserver of Asp.net 2.0 ). Currently, URL rewrite is used, so many URLs in our program are fake. Therefore, if the relative path (~ /), Then we may encounter such a problem. Because the search engine (especially Google) does not support cookies, the second method mentioned above will be used to identify the session information when it accesses the site. At this time, the Uri has a higher level, so there is one more link address on this page ... (In fact, we can see that this exception itself has little to do with URL rewrite, but it is not used in both communityserver and my program ).

There are three solutions:

1. Set cookieless =Usecookies,Whether or not the client supports cookies, use cookies.

2. Because the default cookieless =UsedeviceprofileSo you can create a device file. browser for the search engine to resort to fraud. "Get googlebot to crash your. NET 2.0 site" provides such an approach.

3. modify the program and set the relative path (~ /) Change to absolute path representation (you can use the resolve method ).

So far, the discussion on cookieless has come to an end. I have found that no one in the Chinese community has discussed this attribute in depth. Many of the articles are my personal comprehensive understanding and summary. There may be many incorrect understandings and opinions in them. You are welcome to give me some corrections and supplements.

Download Code: