Location>code7788 >text

Separate front-end and back-end projects, late front-end authentication trouble

Popularity:25 ℃/2024-08-08 13:30:25

software composition

  • back end
    The backend is a webapiproject, using jwt for authentication and authentication.
  • forward part of sth.
    The front-end is an http protocol-based RezorPageproject, but actually uses the fullwwwwrootstatic files in the directory. There are no static files in theRazorPage

Currently only the back-end interface authentication, the front-end page arbitrary access

Authentication requirements

Security requirements have come down in the last couple of days to add authentication to front-end pages. Only openloginlogin pageredirectThird party systems jump to this system page. The initial approach is to log in at the back end to generate the token and put it into theredisCenter.


  • Access to the front endloginlogin page, after clicking login, the backend interface returns token, theloginThe page places the token in theLocal cookiesThe cookie will be used when you open a new page. When a new page is opened, it will take this cookie with it, and the front-end middleware will retrieve the token from the cookie and compare it to the token in redis. If it matches, then it is released to the next middleware. If it doesn't, it redirects to theloginrecord page and short-circuit the request processing pipeline.

image


  • with regards toredirectThird-party system to jump to this system page, it is in the url passed a token, the front-end project to verify the validity of the token into redis. At the same timeredirectThe page also puts this token into a local cookie. after that new tabs take this cookie with them. validated in the middleware of the front-end project.

image

concern

For the form that opens the page in a new tab, this authentication method works well without any problems.

But there is a problem with using cookies for authentication. That is.iframeframework restricts cookie submission across domains. When theredirectWhen embedded in other systems, firstly, this local cookie is blocked from being written. Secondly, the cookie is not put into the request, so it keeps bouncing to the login page.

I tried it afterward.Session cookiesThat is.session. But being viewed the response message promptsSession cookiesAgain, writing was disabled by the browser. This is a pain in the ass, as so many other system pages use theiframeEmbedded in this project's page. If you add front-end authentication, those places where theiframeBoth will jump to the login page.

Is https the only way to carry a cookie in an iframe, to solve this cross-domain problem?