请给我您对我的身份验证方案的意见

发布于 2024-10-16 10:14:34 字数 865 浏览 4 评论 0原文

我有一个 ASP.NET 2010 应用程序,说实话,我一直在努力使用 Membership api。概述非常典型。我创建用户,然后尝试使用...设置持久性 cookie。

FormsAuthentication.SetAuthCookie(UserName, True)

之后,每当未经身份验证的用户访问受限页面时,他们应该被发送回登录屏幕。同时,如果具有持久 cookie 的用户访问受限页面,我想抓取 cookie,并自动登录它们,只要 cookie 没有过期。这是我的 Web.Config...

<authentication mode="Forms">
<forms
        name=".ASPXAUTH"
        path="/"
        loginUrl="~/Account/Login.aspx"
        protection="All"
        timeout="129600"
        slidingExpiration="true"
        defaultUrl="~/Authenticated/User/UserHome.aspx"
        />
</authentication>

所以我的问题是...

  1. 为什么我找不到 ASPXAUTH cookie,即使我保留了它?
  2. 我计划在 SessionStart 事件中根据此 cookie(cookie 中的用户名)验证它们是个好主意吗?
  3. 为什么,当我单击运行 FormsAuthentication.SignOut() 的注销(这应该会杀死 cookie)时,如果我直接在浏览器中键入它,我仍然可以访问经过身份验证的页面。

I have an ASP.NET 2010 app and to be honest, I have struggled with the Membership api the whole way. Overview is pretty typical. I create the user, and then attempt to set a persistent cookie using ...

FormsAuthentication.SetAuthCookie(UserName, True)

After that, whenever a non-authenticated user hits a restrictred page, they should be sent back to the login screen. Meanwhile, if a user with a peristent cookie hits a restricted page, I want to grab the cookie, and log them in automatically, as long as the cookei is not expired. Here is my Web.Config...

<authentication mode="Forms">
<forms
        name=".ASPXAUTH"
        path="/"
        loginUrl="~/Account/Login.aspx"
        protection="All"
        timeout="129600"
        slidingExpiration="true"
        defaultUrl="~/Authenticated/User/UserHome.aspx"
        />
</authentication>

So my questions are...

  1. Why can't I find the ASPXAUTH cookie even though I persisted it?
  2. Is my plan to validate them against this cookie (the username in the cookie) in the SessionStart event a good idea?
  3. Why, when I click the log out which runs FormsAuthentication.SignOut(), which should kill the cookie, can I still get to an authenticated page if I type it directly into the browser.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

苍暮颜 2024-10-23 10:14:34

同时,如果用户具有持久性
cookie 访问受限页面,我想要
获取 cookie 并登录
自动,只要cookei
没有过期

框架应该自动为您检测 cookie。我怀疑您尝试手动执行此操作会导致部分或全部问题。

您能否发布与 cookie 和表单身份验证交互的所有代码?

Meanwhile, if a user with a peristent
cookie hits a restricted page, I want
to grab the cookie, and log them in
automatically, as long as the cookei
is not expired

The framework should automatically detect the cookie for you. I suspect your attempts to manually do this are causing some or all of your issues.

Could you post all of the code where you're interacting with the cookie and forms authentication?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文