Asp.Net mvc 身份验证,在哪里放置自定义会话密钥?
我有一个用户数据库,可以通过网络服务访问该数据库。 其中一种 Web 服务方法是这样的:
public void login(string name, string password, out user_key)
在我的控制器中,我想做这样的事情:
String key = repo.login(username, password); // a wraper on the login method
if(key ....)
FormsAuthentication.SetAuthCookie(username, false);
我的问题来了: 该密钥用于检索特定用户数据。 我应该把钥匙放在哪里,以便我可以访问它? 我的意思是 FormsAuthentication 类有一个方法吗,因为 说这样的话: 会话["key"] = key 对我来说这看起来不是一个好的做法。 这里的好的做法是什么?这样坏人就不会侵入我的会话。
I have a user database, to which I have access trough a web service.
One of the web service method is something like this:
public void login(string name, string password, out user_key)
and in my controller I want to do something like this:
String key = repo.login(username, password); // a wraper on the login method
if(key ....)
FormsAuthentication.SetAuthCookie(username, false);
And my questions, here they come:
This key is used for retrieving specific user data.
Where do I put the key, so that I can have access to it?
I mean is there a method for the FormsAuthentication class, because
saying something like:
Session["key"] = key
doesn't look like a good practice to me.
And what is the good practice here? so that bad-guys won't hack my session.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不太明白你的意思
我已经使用像
Controller.HttpContext.Session这样的东西很长时间了,并且完全不感到任何内疚。如果您想担心被黑客攻击,那么您应该确保您的 GET 参数在传递到数据库之前经过适当的清理。 这很重要。
Don't quite understand what do you mean by
I've been using something like
Controller.HttpContext.Sessionfor the longest period of time and don't feel slightest guilt at all.If you want to worry about being hacked, then you should make sure that your GET parameter are properly sanitized before they are passed into database. That's important.
在 ASP.NET 中,会话与身份验证 cookie 是分开的,因此为了接管会话,攻击者必须复制身份验证 cookie 和会话 cookie。
您可以使用 构造函数,在生成用户数据之前接受用户数据,然后通过UserData 属性。但请注意,如果此用户密钥敏感,那么您可能需要加密身份验证 cookie。这是 ASP.NET 中的默认设置,但值得将其具体化并将其放入
您的 web.config 中
Sessions are separated from the authentication cookie in ASP.NET, so in order to take over a session the attacker would have to replicate both the authentication cookie and the session cookie.
You can write user information as part of the authentication ticket by using one of the constructors which accept userData before generating it and then reading it via the UserData property. Be aware though if this user key is sensitive then you may want to encrypt the authentication cookie. This is the default in ASP.NET but it's worth being specific and putting
into your web.config