software composition
-
back end
The backend is awebapi
project, using jwt for authentication and authentication. -
forward part of sth.
The front-end is an http protocol-basedRezorPage
project, but actually uses the fullwwwwroot
static files in the directory. There are no static files in theRazorPage
。
Currently only the back-end interface authentication, the front-end page arbitrary access
Authentication requirements
Security requirements have come down in the last couple of days to add authentication to front-end pages. Only openlogin
login pageredirect
Third party systems jump to this system page. The initial approach is to log in at the back end to generate the token and put it into theredis
Center.
-
Access to the front endloginlogin page, after clicking login, the backend interface returns token, theloginThe page places the token in theLocal cookies
The cookie will be used when you open a new page. When a new page is opened, it will take this cookie with it, and the front-end middleware will retrieve the token from the cookie and compare it to the token in redis. If it matches, then it is released to the next middleware. If it doesn't, it redirects to theloginrecord page and short-circuit the request processing pipeline.
-
with regards toredirect
Third-party system to jump to this system page, it is in the url passed a token, the front-end project to verify the validity of the token into redis. At the same timeredirectThe page also puts this token into a local cookie. after that new tabs take this cookie with them. validated in the middleware of the front-end project.
concern
For the form that opens the page in a new tab, this authentication method works well without any problems.
But there is a problem with using cookies for authentication. That is.iframe
framework restricts cookie submission across domains. When theredirectWhen embedded in other systems, firstly, this local cookie is blocked from being written. Secondly, the cookie is not put into the request, so it keeps bouncing to the login page.
I tried it afterward.Session cookies
That is.session
. But being viewed the response message promptsSession cookiesAgain, writing was disabled by the browser. This is a pain in the ass, as so many other system pages use theiframeEmbedded in this project's page. If you add front-end authentication, those places where theiframeBoth will jump to the login page.
Is https the only way to carry a cookie in an iframe, to solve this cross-domain problem?