ASP.NET 表单身份验证 - 何时使用?
我无法决定是否应该进行表单身份验证?表单身份验证通常用于个性化,即为已知用户定制内容。我没有这样的要求。我在数据库中有用户名和密码,需要根据数据库对用户进行身份验证吗?在 ASP.NET 2.0 中实现相同目标的最佳推荐实践是什么?
I am not able to decide whether I should go for Forms Authentication ? Forms authentication is often used for personalization, where content is customized for a known user. I do not have such requirement. I have usernames and passwords in the DB and need to authenticate the users against the DB ? What is the best recommended practice to achieve the same in ASP.NET 2.0 ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
Forms Authentication 用于身份验证,您可以使用会员信息来自定义页面,但不是必须这样做。
Forms Authentication is used for authentication, you can use the membership information to customize pages, but you don't have to.
长话短说:
FormsAuthenication 类与密码无关。您需要使用它来保持用户登录到您的网站。为了验证密码,请使用 Membership 类或您自己的自定义系统。
从 FormsAuthentication 类的文档中:
如果查看 FormsAuthentication 的类定义,您将看到 验证方法。文档说“根据存储在应用程序配置文件中的凭据验证用户名和密码。”您不想使用此,因为您想存储用户和密码在数据库中,而不是配置文件中。这是整个 FormsAuthentication 类中唯一与密码相关的方法。
发出表单票证的正确方法是使用 SetAuthCookie 方法,该方法不需要密码。那么如何/在哪里检查密码呢?
答案:会员资格(或自定义的内容)。
会员资格是一个很大的主题,您确实需要花一些时间研究它并编写测试应用程序。我至少阅读了 关于 ASP.NET 的成员资格、角色和配置文件的多部分系列。
读完本文后,您可能会想是否应该编写自己的自定义会员资格提供程序。您可能想看看这里的一些答案,以获取有关 stackoverflow 或在出现问题时开始一个新问题。
TL;DR:
The FormsAuthenication class has nothing to do with passwords. You need to use it to keep users logged in to your website. In order to validate the passwords, use the Membership class or your own custom system.
From the documentation for the FormsAuthentication class:
If you look at the class definition for FormsAuthentication, you'll see an Authenticate method. The documentation says "Validates a user name and password against credentials stored in the configuration file for an application." You don't want to use this because you want to store users and passwords in a database, not the config file. This is the ONLY method related to passwords in the whole FormsAuthentication class.
The correct way to issue a forms ticket is with the SetAuthCookie method, which does not take a password. So how/where do you check the password?
Answer: Membership (or something custom).
Membership is a large topic and you really need to spend some time researching it and writing a test application. I'd read at least the first three articles in the Multipart Series on ASP.NET's Membership, Roles, and Profile.
After you're done reading that, you're probably going to wonder if you should write your own custom Membership provider. You might want to take a look at some of the answers here on SO for guidance on that stackoverflow or start a new question when that comes up.