ASP.NET 会员资格:是还是不是?
我正在考虑如何使用 ASP.NET 和 MVC2 实现授权和身份验证。我们将其称为用户系统。
我见过三种类型的解决方案:
- 使用内置的 ASP.NET 会员系统 (NerdDinner )
- 自己动手 (Shrinkr)
- 为 ASP.NET 成员资格创建一个抽象层 (Tekpub 的 mvcstarter 工具包)
我一直在阅读您的知情想法,许多人说尝试推出您自己的“用户系统”甚至可能是如果您不注意安全细节,则很危险。另一方面,解决方案要简单得多。所有内容可能都存储在一个数据库中,而用户特定的内容则存储在一个用户表中。该解决方案的开销似乎相当低。
使用 ASP.NET 成员资格解决方案允许使用许多开箱即用的功能,但恕我直言,这确实令人困惑。您可能需要将成员身份信息存储在其自己的数据库中,并以某种方式能够将用户实体从您的站点特定数据库链接到 ASP.NET 数据库。
如果您使用 ASP.NET 会员资格,
- 您的数据库架构是什么样的?如何创建与 ASP.NET 会员用户的外部关系(即歌曲<=>FavoriteSongs (<=>SiteUsers)<=>aspnet_Users)?
- 你为什么不自己滚?
如果您自己推出了
- 您使用了哪种用户系统抽象层(如果有)?
- 为什么不使用 ASP.NET 会员资格?
分析这些可能性我真的很不知所措。请把我从这个会员瘫痪的粘性网络中踢向正确的方向!谢谢。
I'm contemplating how I should implement authorization and authentication with ASP.NET and MVC2. Lets refer to this as a user system.
I have seen three types of solutions in the wild:
- Use the built-in ASP.NET Membership system (NerdDinner)
- Roll your own (Shrinkr)
- Create an abstraction layer for the ASP.NET membership (Tekpub's mvcstarter kit)
I've been reading your knowing thoughts and many say that trying to roll your own "user system" might be even dangerous, if you are not careful with the security details. On the other hand, the solution is a whole lot simpler. Everything is probably stored in one database and user specific stuff is in one users table. The overhead for this solution seems to be quite low.
Using the ASP.NET membership solution allows to use a lot of out-of-the-box functionality, but IMHO, is really confusing. You probably need to store the membership stuff in its own database and somehow be able to link the user entity from your site specific database to the ASP.NET one.
If you are using the ASP.NET membership
- How does your database schema look like? How do you create foreign relationships to the ASP.NET membership users (ie. Songs <=> FavoriteSongs (<=> SiteUsers) <=> aspnet_Users)?
- Why didn't you roll your own?
If you have rolled your own
- What kind of user system abstraction layer, if any, did you use?
- Why didn't you use ASP.NET membership?
I'm really paralyzed by analyzing these possibilities. Please kick me in the right direction from this sticky web of membership paralysis! Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
内置的会员提供程序已经很安全并且非常易于使用。您可以在几个小时内启动并运行内置的会员资格。或者(取决于您正在构建的应用程序类型)您也可以使用 OpenID 进行检查,这就是StackOverflow 使用。
此外,通过内置的成员资格提供程序,创建关系就像使用“唯一标识符”将 aspnet_User 表(我记不起确切的名称)与相关表一样简单。
我将所有会员“内容”存储在与系统数据库相同的数据库中,并且它从未引导我出错。创建会员“东西”也很容易。只需运行 aspnet_regsql.exe 针对您想要拥有 asp.net 成员资格的数据库
这是另一个同样的问题。
the built in membership provider is already secure and is really REALLY easy to use. You can be up and running with built in membership in a couple of hours. Alternatively (depending on what type of application you're building) you could also check out using OpenID which is what StackOverflow uses.
Also, with the built in Membership Provider, creating relationships is as easy as using a "uniqueidentifier" to relate the aspnet_User table (I can't remember the exact name off the top of my head) with the related table.
I store all of my membership "stuff" in the same database as the system db, and it has never steered me wrong. Creating the membership "stuff" is easy as well. Just run the aspnet_regsql.exe against the database that you want to have asp.net membership
Here's another SO question along the same lines.
许多人选择不推出自己的身份验证系统是有充分理由的!这是非常危险的,有很多小方法可能会导致您出错,从而使您的网站容易受到攻击。
然而,我是那些冒险家之一,并且确实自己做了。我仔细检查了每一行代码是否存在安全缺陷,自从发布了我的身份验证系统 1.0 以来,到目前为止我还没有修补过任何安全缺陷。无论如何,我的身份验证系统名为 FSCAuth 并获得 BSD 许可。
我不太确定你的意思。我基本上有一层用于检索用户数据并将其写入数据库或从数据库写入用户数据。 FSCAuth 实际上处理 cookie 和 HTTP 身份验证的一层。并且,您可以在其中告诉 FSCAuth“嘿,只有当前用户位于管理员组中时才能看到此页面”。
我的 UserData 类非常简单,只需要 4 个字段:Username、PasswordHash、UniqueID 和 Salt。这就是 FSCAuth 所依赖的。如果您需要更多字段,您可以继承 UserData 类,它的工作原理是一样的。
我发现内置 ASP.Net 身份验证有很多缺点
更困难。其中许多问题都是设计使然,我相信这是尝试制作一款让每个人都满意的软件的症状。
好吧,在 FSCAuth 中,我在设计上遗漏了很多东西,老实说,它不可能适合所有人。但在许多常见场景中,它比 ASP.Net 成员资格更容易使用。几乎可以使用世界上任何散列算法。用于身份验证的单个数据库命中。无状态登录。唯一 ID 可以是任何适合字符串的内容。等等。
因此,如果您在解决 ASP.Net 的内置身份验证和推出自己的身份验证之间犹豫不决,请先看看 FSCAuth。如果不出意外的话,它是您自己推出的一个很好的起点。
Many people choose not to roll their own authentication systems for good reason! It's quite dangerous and there are many small ways you can get it wrong and leave your site open to attack.
I, however, am one of those risk takers and did roll my own. I double and triple checked every line of code for a security flaw and so far I've not had any security flaws patched since I released 1.0 of my authentication system. Anyway, my authentication system is named FSCAuth and BSD licensed.
I'm not quite sure what you mean. I basically have one layer where user data is retrieved and written to/from the database. One layer where FSCAuth actually deals with the cookies and HTTP authentication. And, one layer where you tell FSCAuth that "hey, this page should only be seen if the current user is in the Admin group".
My UserData class is quite simple with only 4 fields being required: Username, PasswordHash, UniqueID, and Salt. This is what FSCAuth depends on. If you need more fields, you can inherit form the UserData class and it'll work just the same.
I found so many short comings in the built in ASP.Net authentication
Many of these problems are by design and I believe are a symptom of trying to make one piece of software that will satisfy everyone.
Well, in FSCAuth I left quite a bit of things out by design, and honestly there is no way it's suitable for everyone.. but it's much easier to use than ASP.Net membership in many common scenarios. Can use just about any hashing algorithm under the sun. A single database hit for authentication. Stateless logins. A unique ID can be anything that'll fit in a string. Etc.
So if you're stuck in the decision between working around ASP.Net's built-in authentication and rolling your own, give FSCAuth a look first. If nothing else, it makes a great starting point for rolling your own.