以将会话状态数据与身份验证 cookie 绑定的方式维护会话状态数据
我正在开发一个 ASP.NET MVC 3 应用程序,它本质上是数据库的代理。要登录,用户必须提供其数据库用户和名称。 (我知道使用数据库用户作为应用程序用户不是一个好主意,但我没有设计数据库,所以不要责怪我。)
当我的用户登录时,我想存储在会话变量中他们的用户名和密码:
Session["UserID"] = TheConnectionStringBuilder.UserID;
Session["Password"] = TheConnectionStringBuilder.Password;
但是,会话状态本质上并不与身份验证 cookie 相关联,这可能会在以后引起问题。有没有什么方法可以保存会话状态数据,使其与身份验证 cookie 保持绑定?
I am developing an ASP.NET MVC 3 Application that is essentially a proxy to a database. To login, users must provide their database user and name. (I know it isn't a good idea to use database users as application users, but I didn't design the database, so don't blame me.)
When my users log in, I would like to store in a session variable their username and password:
Session["UserID"] = TheConnectionStringBuilder.UserID;
Session["Password"] = TheConnectionStringBuilder.Password;
However, session state is not intrinsically tied to the authentication cookie, and this could cause problems later. Is there any way to keep session state data in such a way that it remains tied to the authentication cookie?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
其中一种方法可以是使用配置将会话状态超时与身份验证超时进行匹配。例如,
另一种方法是将凭证存储到用某个生成的密钥标记的某个持久性存储(例如文件)中,然后将该密钥保留在身份验证 cookie 中。然而,我觉得这是一种迂回的做事方式,我宁愿采用会话方法。
由于某种原因,如果您在会话中找不到用户 ID/密码(例如,应用程序池回收),您可以强制用户重新登录(通过使用 FormsAuthentication.SignOut 后跟 RedirectToLoginPage)。
One of the way could be matching session state time-out with authentication time-out using configuration. For example,
Yet another way would be to store credentials into some persistent store (such as file) tagged with some generated key and then keep this key in authentication cookie. However, I feel this is a round about way of doing things and I would rather go with session approach.
For some reason, if you don't find the user id/password in the session (for example, application pool recycle), you can force user to re-login (by using FormsAuthentication.SignOut followed by RedirectToLoginPage).