ASP.NET MVC 建议使用会话令牌路由 URL
我正在尝试实现一个与另一个站点交互的小型 ASP.NET MVC 站点。简而言之,主站点和附属站点之间的会话是通过 URL 中的令牌进行管理的。我可以指定 url 格式,但无法删除将会话令牌作为 URL 的一部分提交的要求。
我正在尝试弄清楚如何设置路由,并且在这里有一些想法。我无法决定哪一个最好,或者是否有更好的方法。我想到的主要方式:
routes.MapRoute("Main", "{controller}/{action}/{id}/{token}");
提供类似 http:// mysite.com/Products/Detail/5/5f1c8bbf-d4f3-41f5-ac5f-48f5644a6d0f 优点:主要与现有的站点导航 MVC 约定保持一致 缺点:当支持 ID 和 Action 的默认值时,会增加路由的复杂性。
routes.MapRoute("Main", "{token}/{controller}/{action}/{id}/");
提供类似 http://mysite.com/5f1c8bbf-d4f3- 的 URL 41f5-ac5f-48f5644a6d0f/产品/详细信息/5 Pro:简化路由 - 仍然可以按照标准 MVC 约定应用操作/ID 默认值 缺点:非常“不像网络”的 URL。需要正则表达式来验证第一个变量是有效的 GUID/令牌,然后再继续表中的下一个路由。
我想到的另一种可能性是传递会话,例如:
http://mysite.com/Home/Index?session=5f1c8bbf-d4f3-41f5-ac5f-48f5644a6d0f
与此相关的问题是我有一个从 Controller 派生的基类,所有其他安全页面都正在经历该基类。 SecureController 类重写 Execute() 并检查从 URL 获取的令牌的有效性。这两种方法(GET 和路由)似乎很容易在控制器 Execute() 函数中获取令牌,但是 GET 方法感觉有点俗气,而路由方法感觉由于缺乏更好的解释,打破了MVC 路由设计的优雅。
还有其他人解决过类似的问题并有任何特别的成功或困难可以分享吗?
I'm trying to implement a small ASP.NET MVC site which interacts with another site. In short, sessions are managed between the main site and satellite sites through tokens in the URL. I can specify the url format but I can't remove the requirement that a session token is submitted as part of the URL.
I'm trying to work out how to set up the routing and am in a few minds here. I can't decide which would be best, or if there is perhaps a better way to do it. The main ways I'm thinking:
routes.MapRoute("Main", "{controller}/{action}/{id}/{token}");
Gives URLs like http://mysite.com/Products/Detail/5/5f1c8bbf-d4f3-41f5-ac5f-48f5644a6d0f
Pro: mostly keeps with existing MVC convention for site nagivation
Con: Adds complication to routing when supporting defaults for ID and Action.
routes.MapRoute("Main", "{token}/{controller}/{action}/{id}/");
Gives URLs like http://mysite.com/5f1c8bbf-d4f3-41f5-ac5f-48f5644a6d0f/Products/Detail/5
Pro: simplifies routing - can still apply action/id defaults as per standard MVC convention
Con: very "un-web-like" URLs. Requires regex to validate that the first variable is a valid GUID / token before moving on to next route in the table.
The other possibility coming to mind, passing sessions like:
http://mysite.com/Home/Index?session=5f1c8bbf-d4f3-41f5-ac5f-48f5644a6d0f
The related problem with that is I have a base class derived from Controller which all other secure pages are going through. The SecureController class overrides Execute() and checks for the validity of the token taken from the URL. Both approaches (GET and routing) seem like it would be easy enough to get the token within the controller Execute() function, but the GET approach feels kind of tacky whereas the routing approach feels like it's, for lack of better explanation, breaking the elegance of the MVC routing design.
Has anyone else out there taken on a similar problem and had any particular successes or difficulties to share?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看来无论你做什么,你的 URL 都会因为该令牌而变得非常混乱。
我也必须在 ASP.NET MVC 应用程序中处理这种单点登录功能,但我采用了一种稍微不同且简单得多的方法:我创建了一个带有
GatewayController>SignOn 操作将会话令牌和 URL 作为参数。然后,此
SignOn操作将仅检查会话令牌的有效性,然后让用户登录到我的网站,重定向到提供的 URL。从那时起,不再需要会话令牌,因为从那时起身份验证将基于 cookie。它可能并不完全适用于您的情况,具体取决于您的要求。如果您需要在某处不断检查会话令牌的有效性,那么您可以执行与我相同的操作,然后将会话令牌存储在用户的会话数据中,从而允许您检查每个请求中的令牌。
It seems no matter you do, your URLs will be pretty messy with that token.
I have had to handle this kind of single sign-on functionality in an ASP.NET MVC app as well, but I went for a slightly different and much simpler approach: I created a
GatewayControllerwith aSignOnaction that took a session token and a URL as parameters.Then this
SignOnaction would just check the validity of the session token and then sign the user on to my site, redirecting to the supplied URL. From then on, the session token is not needed anymore, as authentication from then on would be cookie-based.It might not be entirely applicable in your case, depending on your requirements. If you are required to continuously check the validity of the session token somewhere, you could however just do the same thing as I did and then store the session token in the user's session data, allowing you to check the token in each request.