ASP.Net 在 Auth Cookie 中存储用户数据
我想在 auth cookie 的用户数据部分存储一些数据,例如用户昵称和用户 ID(表主键)。 我这样做的原因是在浏览器关闭时保留这些数据,而不需要用户重新登录。
编辑:哎呀! 意识到我没有很好地解释自己。 我并不是想根据用户的 cookie 重新验证用户的身份。 用户已经通过 ASP.Net 的会员系统进行身份验证 - 这部分没问题。 我的问题是,例如,如果我想显示用户的昵称,我必须触发另一个 SQL 查询,然后将其存储在会话中。 我认为将此信息存储在 UserData 部分的 auth cookie(同样是由 ASP.Net 创建的)中是有意义的,该部分似乎是为此目的而创建的。
我不想使用配置文件,因为我有自己的包含配置文件数据的用户表,并且我需要一个轻量级的解决方案。
在 auth cookie 的用户数据部分对此数据进行编码的好方法是什么? 我正在考虑连载,但这可能有点矫枉过正。 我是否以错误的方式处理这个问题?
I want to store some data like the user nickname and user ID (table primary key) in the user data section of the auth cookie. The reason I'm doing this is to retain this data when the browser is closed, without having the user relogin.
Edit: Whoops! Realized I'd not explained myself well. I am not trying to reauthenticate a user based on their cookie. The user is already authenticated by ASP.Net's membership system - this part is fine. My problem is that if I want to show the user's nickname, for example, I have to fire off another SQL query, and then store it in the session. I figured it would make sense to store this information in the auth cookie (again, the one already created by ASP.Net) in the UserData section, which seems to have been created for this purpose.
I don't want to use profiles because I have my own user table with profile data, and I needed a lightweight solution.
What is a good way to encode this data in the user data section of the auth cookie? I was thinking serialization, but that might be overkill. Am I going about this the wrong way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
我在这里编写了有关如何执行此操作的深入教程:
http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/
这维护了加密和身份验证,并且使用 json 将类序列化到 UserData 字段中。
编辑:
博客不再存在,可以找到存档在此网络存档上。
博客摘要:
获取现有的 cookie 和身份验证票证
定义您的自定义数据(确保其可序列化为 json)
使用您的数据和现有的身份验证票证设置创建新的身份验证票证
将您的自定义票证设置为cookie 并添加到响应中
I've written an in depth tutorial on how to do this here:
http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/
This maintains the encryption and authentication, and uses json to serialize a class into the UserData field.
Edit:
The blog no longer exists, an archive can be found on the web archive here.
Summary from blog:
Get the existing cookie and auth ticket
Define your custom data (make sure this is serializable to json)
Create a new auth ticket with your data, and existing auth ticket settings
Set your customized ticket into cookie and add to response
显然我走在正确的道路上:http://www.asp。 net/learn/security/tutorial-03-vb.aspx(第 4 步:第 4 步:在票证中存储其他用户数据)
Apparently I was on the right track: http://www.asp.net/learn/security/tutorial-03-vb.aspx (Step 4: Step 4: Storing Additional User Data in the Ticket)
是的。 如果您将用户 ID 和登录信息存储在 cookie 中,那么什么会阻止某人将其 cookie 更改为任何人的用户 ID 和登录信息?
您需要设置一个身份验证票证系统。 基本上,它是一个 cookie 值,在不存在会话时检查。 如果存在值,您可以针对应包含其用户 ID 的票证表运行该值。 如果您找到票证,请给他们一个会话和一张新票证。
Yes. If you are storing the User ID and Login in the cookie what's stopping someone from changing their cookies to anyone's User ID and Login?
You need to set up an auth ticket system. Basically it's a cookie value that gets checked when no session exists. If a value is present you run that against a ticket table which should contain their User ID. If you find the ticket, give them a session and a new ticket.
如果您已经有了一个包含个人资料信息的用户表,为什么不使用 自定义配置文件提供商。
如果您想要另一个如何实现类似功能的示例,您可以查看 SQL 表配置文件提供程序
If you've already got a user table with profile information in it, why don't you hook into it with a custom profile provider.
If you want another example of how to implement something like this, you could take a look at the SQL Table Profile Provider
也许你可以创建另一个 cookie...我个人不会弄乱 auth cookie。
Maybe you could just create another cookie... I personally wouldn't mess with the auth cookie.
在 cookie 中存储额外的用户数据意味着每次请求时都会从客户端来回发送更大的 cookie。
避免您担心的额外数据库命中的更好方法是在用户登录后将该数据缓存在内存中。ASP.NET
有一个每个请求缓存 HttpContext.Current.Items 和一个应用程序域缓存 HttpContext.Current.Cache,我认为您正在这种情况下寻找 HttpContext.Current.Cache 。
或者,如果您需要跨 Web 服务器(负载平衡 Web 服务器)进行缓存,您可以查看第 3 方键值存储,例如 memcached、redis、velocity、ncache 等。
Storing extra user data in the cookie means a larger cookie that is sent back and forth from the client with every request.
A better approach to avoid the extra database hits you are worried about is to cache that data in memory after the user logs in.
ASP.NET has a per request cache HttpContext.Current.Items and a app domain cache HttpContext.Current.Cache, I think you are looking for HttpContext.Current.Cache in this instance.
Alternatively if you need caching across web servers (load balanced web servers) you can look into 3rd party key value stores like like memcached, redis, velocity, ncache etc.