[ASP.NET Core 3.1] Browser sniffing solves missing cookies in some browsers

Keywords: iOS Mac OS X Mobile

[ASP.NET Core 3.1] Browser sniffing solves missing cookies in some browsers
Students who have read the previous article should know that browsers such as Sogou and 360 redirect repeatedly in single sign-on, and eventually fail and make mistakes.

The reason is that non-Chrome80+ browsers do not recognize the SameSite=none attribute value on the Cookie, resulting in the authentication Cookie being discarded in subsequent requests.

As of No. 2020/3/30, non-Chrome browser tests included two results:

case1: can set the cookie's samesite=none, the cookie can be read by the browser
case2: set samesite=none on cookie, browser cannot read it
Browser Latest Version Number Result Remarks
IE 11 case1 win10
Edge 44.18362.449.0 case1 2020/2/15 Start using chrome kernel/70.0.3538.102
Firefox 74 case1
360 Rapid Browser 12.0.1190.0 case1 based on chromium78
Sogou Browser 8.6.1.31812 case2 User-Agent: Chrome/65.0.3314.0
Cheetah Security Browser 6.5.115 case2 User-Agent: Chrome/57.0.2987.98
QQ Browser 10.5.3 case1 chromium 70
Huawei Mobile Browser 10.0.6.304 case1
Meizu Mobile Browser 8.5.1 case2
Well, the 360 Express browser I previously reported has updated the Chrome kernel in the new version. Is it a mainstream search dog and Cheetah browser or an older version of the Chrome kernel? What's going on?

If your Web application intends to support older kernel browsers, you need to implement browser sniffing.
ASP.NET Core does not help you with browser sniffing because User-Agents values are volatile and often change.

However, extensions in Microsoft.AspNetCore.CookiePolicy allow browser sniffing logic to be inserted.

In Startup.Configure, add code that calls UseCookiePolicy before calling UseAuthentication or any method that writes cookie s:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{

if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}
else
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

//Indicates ASP.NET Core Startup Cookie Policy

app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapRazorPages();
});

}
In Startup.ConfigureServices, add the policy configuration code for cookies:

public void ConfigureServices(IServiceCollection services)
{

services.Configure<CookiePolicyOptions>(options =>
{
    options.MinimumSameSitePolicy = (SameSiteMode)(-1);
    options.OnAppendCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
    options.OnDeleteCookie = cookieContext =>
        CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});

services.AddRazorPages();

}

private void CheckSameSite(HttpContext httpContext, CookieOptions options)
{

if (options.SameSite == SameSiteMode.None)
{
    var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
    if (MyUserAgentDetectionLib.DisallowsSameSiteNone(userAgent))
    {
        options.SameSite = SameSiteMode.Unspecified;
    }

}

}
In the example above, MyUserAgentDetectionLib.DisallowsSameSiteNone is a custom library file, and detection does not support UserAgent with SameSite=None.

ASP.NET Core3.1 adds an Unspecified enumeration value to the SameSiteMode pair to indicate that the server will not set the SameSite property value on the Cookie, and the subsequent carriage of the Cookie is handed over to the browser's default configuration.

The specific detection code is as follows:

public static bool DisallowsSameSiteNone(string userAgent)
{

// Check if a null or empty string has been passed in, since this
// will cause further interrogation of the useragent to fail.
 if (String.IsNullOrWhiteSpace(userAgent))
    return false;

// Cover all iOS based browsers here. This includes:
// - Safari on iOS 12 for iPhone, iPod Touch, iPad
// - WkWebview on iOS 12 for iPhone, iPod Touch, iPad
// - Chrome on iOS 12 for iPhone, iPod Touch, iPad
// All of which are broken by SameSite=None, because they use the iOS networking
// stack.
if (userAgent.Contains("CPU iPhone OS 12") ||
    userAgent.Contains("iPad; CPU OS 12"))
{
    return true;
}

// Cover Mac OS X based browsers that use the Mac OS networking stack. 
// This includes:
// - Safari on Mac OS X.
// This does not include:
// - Chrome on Mac OS X
// Because they do not use the Mac OS networking stack.
if (userAgent.Contains("Macintosh; Intel Mac OS X 10_14") &&
    userAgent.Contains("Version/") && userAgent.Contains("Safari"))
{
    return true;
}

// Cover Chrome 50-69, because some versions are broken by SameSite=None, 
// and none in this range require it.
// Note: this covers some pre-Chromium Edge versions, 
// but pre-Chromium Edge does not require SameSite=None.
if (userAgent.Contains("Chrome/5") || userAgent.Contains("Chrome/6"))
{
    return true;
}

return false;

}
summary
This live demonstration plugs browser sniffing logic into the ASP.NET Core extension point to solve the historical problem that the device does not support cookie SameSite=none.

https://www.chromium.org/updates/same-site/incompatible-clients
Original Address https://www.cnblogs.com/JulianHuang/p/12596115.html

Posted by jallard on Mon, 30 Mar 2020 19:53:37 -0700

Hot Keywords

©2024 Programmer Group