为会话设置 HttpContext.User
我已经在 ASP.NET MVC 中实现了自定义身份验证。如果有效用户尝试登录,我会在 AccountController 的 Logon 方法中设置 HttpContext.User = user。但它仅在该请求时保留在那里。我如何为会话设置它?
我使用了另一种方法,设置HttpContext.Session["CurrentUser"] = user。如果我想查看会话是否已授权,我必须检查 HttpContext.User != null。但是,我不想在应用程序中的任何地方公开身份验证逻辑。如果我需要改变它,那就会很混乱。
请帮我解决这个问题。一种解决方案可能是在开始时使用 HttpContext.Session["CurrentUser"] 的值填充每个请求的 HttpContext.User 属性,但我不知道如何去做它。
I've implemented custom authentication in ASP.NET MVC. If a valid user tries to login, I set the HttpContext.User = user in the Logon method of the AccountController. But it remains there for only that request. How can I set it for the session?
I used an alternative, set HttpContext.Session["CurrentUser"] = user. If I want to see if the session is authorized, I'd have to check that the HttpContext.User != null. But, I don't want to expose the authentication logic everywhere in the application. If I need to change that, it'd be messy.
Please help me solve this. One solution could be populating the HttpContext.User property of every request with the value of HttpContext.Session["CurrentUser"] at the beginning, but I don't know how to do it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 Global.asax 的 Application 类中编写以下方法
,或者您可以使用继承到控制器的 System.Web.Mvc.Controller 的“User”属性(注意:成功验证用户时,请务必调用 FormsAuthentication.SetAuthCookie 方法登录)。
Write the following method in the Global.asax's Application class
or you can use the "User" property of System.Web.Mvc.Controller that is inherited to your controllers (note: be sure to call FormsAuthentication.SetAuthCookie method when successfully validate your user login).
执行此操作的最佳方法是编写自定义身份验证模块并将其挂接到您的应用程序中。该模块将在任何请求之前执行,并且有机会根据需要设置 HttpContext.User 属性。
例如,考虑表单身份验证模块。在 HTTP 处理程序运行之前(无论是 .aspx 页面、MVC 管道等),它有机会拦截请求。它读取登录 cookie 的值,解密并验证加密的 cookie 值,如果检查通过则设置 HttpContext.User。这样,当处理程序运行并实际处理请求时,User 属性就已经被正确设置。
最后,您不需要在 ASP.NET 上自定义授权属性,因为内置的 [Authorize] 属性应该自动与您的自定义身份验证模块配合使用。但是,您的 AccountController.LogOn() 方法(或您使用的任何替代方法)将需要与生成将由身份验证模块验证的令牌的适当身份验证提供程序进行通信。这应该是您需要编写与内置提供的代码不同的代码的唯一地方。
请参阅 http://social.msdn.microsoft.com/Search/ en-US?query=http%20modules 和 http://social.msdn.microsoft.com/Search/en-US?query=custom%20authentication%20asp.net 了解更多信息。
The best way to do this is to write a custom authentication module and to hook it into your application. This module will execute before any request and will have a chance to set the HttpContext.User property as appropriate.
For example, consider the Forms Authentication module. Before your HTTP handler runs (be it an .aspx page, the MVC pipeline, etc.), it has a chance to intercept the request. It reads the value of a login cookie, decrypts and verifies the encrypted cookie value, and sets HttpContext.User if the checks pass. That way, when the handler runs and actually processes the request, the User property has already been set correctly.
In the end, what this will look like is that you don't need a custom authorization attribute on ASP.NET, as the [Authorize] attribute already provided in-box should work automatically with your custom authentication module. However, your AccountController.LogOn() method (or whatever you use in lieu of this) will need to communicate with the appropriate authentication provider that generates the token that will be validated by the authentication module. This should be the only place you'd need to write code different than what is provided in-box.
See http://social.msdn.microsoft.com/Search/en-US?query=http%20modules and http://social.msdn.microsoft.com/Search/en-US?query=custom%20authentication%20asp.net for more information.