In ASP. NET4, do not trust Request. Browser. Cookies. UseCookies are used for Form verification.

 

After upgrading from ASP. NET 3.5 to ASP. NET4, you may not be able to save cookies after three logon attempts (everything works before the upgrade ):

1. Travel 3 is in high speed mode (default mode ).

2. Modified UserAgent in FireFox.

3. Visit the mobile phone version of the blog Garden (m.cnblogs.com) with the Nokia mobile browser or UCWeb browser ).

Today, we finally found out the culprit, namely Request. Browser. Cookies.

If you use Form authentication in the program and use cookies to save the user's logon status, remember:Add cookieless = "UseCookies" to <authentication mode = "Forms">/<forms>". If this parameter is not set, cookieless uses the default UseDeviceProfile. When UseDeviceProfile is used, a tragedy occurs. ASP. NET according to the Request. browser. cookies to determine whether the current browser supports Cookies (if you do not believe it, use Reflector to view the System. web. security. formsAuthentication code ). Request. Browser. Cookies will deem that the preceding three cases do not support Cookies (there may be more false positives ).

This misjudgment does not exist in ASP. NET 3.5 and ASP. NET 2.0. If you don't believe it, you can use the following code to verify it:

Response. Write (Request. Browser. Cookies );

Access in extreme mode with Game 3. If it is ASP. NET4, False is displayed; if it is ASP. NET 3.5, True is displayed.

I was prepared to write it here and it ended. But in the writing process, I felt unwilling and was almost collapsed by the tossing and tossing. It depends on ASP. why does NET4 think that travel 3 does not support cookies.

1) first use the following code to check the browser ASP. NET4 regards travel 3:

Response. Write (Request. Browser. Browser );

The answer is: Safari.

Does Microsoft make a small trick here, as long as it is Safari, deliberately think that it does not support cookies.

After testing with authentic Safari, Request. Browser. Cookies return True. If Microsoft is wronged, Microsoft will not be so stingy.

2) use Request. UserAgent to check the UserAgent of travel 3:

Result: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/533.9 (KHTML, like Gecko) Maxthon/3.0 Safari/533.9

Dual-core browsers have different responses. Is the complicated UserAgent annoying ASP. NET4: Whose browser is so complicated, simply determining that you do not support cookies.

3) next is the key step. Find out what ASP. NET4 determines whether the current browser supports cookies?It is certain that it was not a coin.

Looking at the source code with Reflector, I was so dizzy that I couldn't find the answer. If you forget it, use the method of making guesses. Hey, it works.

Originally, ASP. NET4 was determined based on the data in the following folders:

C: \ Windows \ Microsoft. NET \ Framework \ v4.0.30319 \ Config \ Browsers

Open this folder to see:

Open safari. browser:

The truth is hidden here. Analyze this file to find out:

Game 3 matches the first item (that is, the <browser id = "Safari" parentID = "Mozilla"> section). cookies = true are not set in this configuration.

The authentic Safari not only matches the first but also the second (that is, the <browser id = "Safari3to4" parentID = "Safari"> section) <capability name = "cookies" value = "true"/> is set here.

It was really caused by travel 3 "impersonating" other people's browsers. Microsoft did not expect such a UserAgent to appear.

Finding the truth is easy to solve. I thought that I only needed to add <capability name = "cookies" value = "true"/> In the first item, but it was not that simple:

1. the safari. browser file cannot be saved. The prompt is "Read-Only File. Solution: Copy safari. browser to another location. After modification, copy it back to overwrite the existing file.

2. Run the following command as an administrator to compile these. browser files into an assembly and install them in GAC:

C: \ Windows \ Microsoft. NET \ Framework \ v4.0.30319 \ aspnet_regbrowsers.exe-I

Done! Finally, the truth is clear.

If you do not write this essay, cookieless = "UseCookies" may be added, so there will be no further research.

When you write a blog, you will not only learn more, but also get unexpected results.

Author: dudu