在客户端上访问 ASP.NET 身份验证票证(通过 javascript)
我有一个使用表单身份验证的 ASP.NET 网站,
<authentication mode="Forms">
<forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" />
</authentication>
我需要确定用户在网页呈现给客户端后是否经过身份验证。 为了实现这一点,我认为我可以读取 document.cookie 并检查“.ASPXAUTH”是否存在。 但问题是,即使我签名了,这个值也是空。
如何检查用户是否已通过身份验证? 为什么 document.cookie 为空?
谢谢您的解答。 blowdart 帮助我理解了为什么无法从客户端脚本访问身份验证票证。
I have an ASP.NET website that uses Forms authentication
<authentication mode="Forms">
<forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" />
</authentication>
I need to identify if user is authenticated on web page after it was rendered to client.
To accomplish this I thought that I can read document.cookie and check if ".ASPXAUTH" is there.
But the problem is that even if I am signed in this value is empty.
How can I check that user is authenticated?
Why document.cookie is empty?
Thank you for answers. blowdart helped me to understand why authentication ticket is not accessible from client script.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
正如其他人所说,身份验证票是并且应该是 httponly。
执行此操作的最佳方法是使用 ApplicationServices。 JSON 身份验证端点公开 IsLoggedIn,我注意到您对服务器负载的担忧。调用静态端点来简单地检查 cookie 的开销可以忽略不计。真的。
因此,如果您使用MsAjax,只需启用应用程序服务并调用Sys.Services.AuthenticationService.IsLoggedIn。
如果您想从原始 javascript 执行此操作,这里是 codez ;-)
将此段添加到您的配置文件
页面....
As others have said, the auth ticket is and SHOULD be httponly.
The best way to do this is to use ApplicationServices. The JSON authentication endpoint exposes IsLoggedIn and I have noticed your concern regarding server load. The overhead of a call to a static endpoint that simply checks the cookie for you is negligible. Really.
So, If you are using MsAjax, just enable application services and call Sys.Services.AuthenticationService.IsLoggedIn.
If you want to do this from raw javascript here is the codez ;-)
Add this segment to you config file
The page....
第一……这是一个坏主意。检查用户是否在客户端获得授权绝对不安全。没有任何。
但如果你真的想这样做......在后面的代码中进行签入,并将一个可以通过 Javascript 读取的值推送到客户端。类似于:
RegisterClientScript("isvalidated", "var isUserAuthenticated = " + UserAuthenticated);
你现在看到问题了吗?你可以在 AJAX 中做同样的事情......但它有同样的问题。
好的,我可以认为这样做对用户来说是一种简单的方便......例如,如果它们被授权,则显示某些链接。但它在任何形式上都不安全。帮自己一个忙,在代码隐藏中处理这个问题。
Number one... this is a bad idea. There is absolutely no security in checking if a user is authorized on the client side. None.
But if you really want to do this... do the check in code behind, and push a value to the client that can be read via Javascript. Something akin to:
RegisterClientScript("isvalidated", "var isUserAuthenticated = " + UserAuthenticated);
You see the problem now? You could do the same thing in AJAX... but it has the same problem.
OK, I can see doing this as a simple convenience for the user... showing certain links if they are authorized for instance. But it is not secure in any way shape or form. Just do yourself a favor and handle this in code-behind.
它为空的原因是因为 cookie 受到标记为 HttpOnly 的保护。这意味着它无法通过脚本访问。关闭此功能是一个非常非常糟糕的主意,因为您网站中的 XSS 漏洞可能会导致 cookie 被盗,所以我不会告诉您如何做到这一点。
The reason it's blank is because the cookie is protected by being marked as HttpOnly. This means it cannot be accessed via script. Turning this off is a very very bad idea, as XSS vulnerabilities in your site could expose it to cookie theft, so I'm not going to tell you how you can do it.