http 和受限部分
我想请教一下大家,因为我不确定答案。
我有网站 Asp.Net 2.0,其中有只有经过身份验证的用户才能访问的部分。 确保用户只有在成功验证(登录/通过)后才会被重定向到受限部分。 但我的问题更关心事实是否我需要使用 https 而不是 http。 我确实检查 Page_load 方法,确保用户已通过身份验证并且处于适当的角色。 像这样:
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
ApplyAuthorizationRules();
InitData();
}
}
private void ApplyAuthorizationRules()
{
//Check if the user is logged in
if (!Page.User.Identity.IsAuthenticated)
{
Response.Redirect(NotAuthenticated.UrlToSelf());
}
//check if the user is in one of FU roles
if (!Page.User.IsInRole(Constants.ROLECLIENT))
{
Response.Redirect(NotAuthorized.UrlToSelf());
}
}
为了更好的描述,有我的 web.config 设置的快照:
<identity impersonate="false" />
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
还有我的身份验证过程的快照:
public static bool Login(string username, string password)
{
AppIdentity identity = AppIdentity.GetIdentity(username, password);
AppPrincipal principal = new AppPrincipal(identity);
HttpContext.Current.User = principal;
return identity.IsAuthenticated;
}
那么真的有必要使用 https 吗?
感谢您的任何建议。 X。
I would like to ask you guys cause I am not sure about the answer.
I have website, Asp.Net 2.0, where I have section where only authenticated user has access. For sure user is redirected to restricted section only after successful authentication (login/pass). But my question is more concerned about fact if I need to use https over http. I do check on Page_load method that user is authenticated and is in appropriate role. Like this:
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
ApplyAuthorizationRules();
InitData();
}
}
private void ApplyAuthorizationRules()
{
//Check if the user is logged in
if (!Page.User.Identity.IsAuthenticated)
{
Response.Redirect(NotAuthenticated.UrlToSelf());
}
//check if the user is in one of FU roles
if (!Page.User.IsInRole(Constants.ROLECLIENT))
{
Response.Redirect(NotAuthorized.UrlToSelf());
}
}
Just for better desc, there is snapshot of my web.config setting:
<identity impersonate="false" />
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
and there is snapshot of my auth process:
public static bool Login(string username, string password)
{
AppIdentity identity = AppIdentity.GetIdentity(username, password);
AppPrincipal principal = new AppPrincipal(identity);
HttpContext.Current.User = principal;
return identity.IsAuthenticated;
}
So is it really neccessary to use https?
Thanks for any suggestion. X.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
授权和加密有不同的目的。 如果数据敏感,您可能应该使用 https。
Authorization and encryption serve different purposes. If the data is sensitive you should probably use https.
假设您使用“基本”HTTP 身份验证,那么请注意,如果您使用 http,则用户名,密码随每个请求以明文形式发送。 如果您想提供更高的安全性以防止凭据被嗅探,请使用 https。
还有其他方法,例如 摘要式身份验证,它提供了更多的保护,但一般来说,对于用户可能感到受到保护的任何内容都使用 https。
Assuming you used "Basic" HTTP authentication, then be aware that if you use http, the username,password is send in the clear with every request. If you want to provide more security to prevent the credentials from being sniffed then use https.
There are other methods, such as Digest authentication which offer a little more protection, but generally speaking, use https for anything which a user might feel protective of.