在 ASP.NET 表单身份验证中,如何验证身份验证 cookie 内的身份验证票证?
启用表单身份验证后,一旦用户提供了用户名和密码,它将使用Web配置或使用数据库(如果实现自定义)进行验证,并将创建一个身份验证cookie,该验证cookie将具有身份验证票证。
现在,FormauthenticationModule将负责检查此身份验证票在每个请求中是否有效。
使用Q1生成身份验证票
FormsAuthentication.RedirectFromLoginPage("userName", isPersistentCookie)
。该身份验证票是否也存储在服务器中,还是仅存储在cookie中?
仅在cookie而不在服务器中:
Q2。如果此身份验证票证信息不在服务器上,则如何formauthenticationmodule检查客户端的cookie是否有效?
Q3。它怎么知道cookie是否过期?应该有cookie的创建时间何时确定是否过期?
Q4。如果我正在使用数据库,并且现在管理员用户已从DB中删除了非Admin登录的用户。现在,非Admin用户对服务器的下一个请求,cookie应该无效,对吗?使用表格身份验证是否可以实现?
Q5。我的假设是,该身份验证票是使用一些键加密的,并且只能被服务器解密,因为它是具有密钥的那一张?但是我也看到一个问题。例如,我将一个应用程序的cookie拿到IIS上的另一个应用程序。现在,formauthentication module将如何确定此cookie是否属于此特定应用程序?
When Forms Authentication is enabled, once the user provides a username and password it will be validated using web config or using a database(if custom implemented) and will create an Authentication Cookie which will have an authentication ticket.
Now FormsAuthenticationModule will be responsible to check if this Authentication ticket is valid on every request.
The authentication ticket is generated using
FormsAuthentication.RedirectFromLoginPage("userName", isPersistentCookie)
Q1. Is this authentication ticket is stored in the server too or only in the cookie?
If only in Cookie and not in server:
Q2. If this authentication ticket information is not on the server how will FormsAuthenticationModule check if the cookie coming from the client is valid or not?
Q3. How will it know if the cookie is expired? It should have like when is the creation time of the cookie to tell if it is expired right?
Q4. If in case I am using database and now Admin user has deleted the non-admin logged-in user from DB. Now the next request from the non-admin user to the server, the cookie should be invalid, right? Is this even achievable using forms authentication?
Q5. Just my assumption is that this authentication ticket is encrypted using some key and can be decrypted only by the server as it is the one that has the key? But here also I see an issue. For example, I take one application's cookie and then pass it to another application on IIS. Now how will FormsAuthenticationModule determine if this cookie belongs to this particular application?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
归根结底,您确实无法改变这种工作的工作方式 - 因此,这里的答案实际上并没有太大帮助 - 但是无论如何,让他们一次将它们一个A一个:
该信息存储在浏览器侧。
当您退回任何帖子时,将发送该cookie - 您运行或执行的每个帖子都会导致许多SQL提供商例程运行 - 包括“ getuser()”,
因此,每个帖子都会使用并运行getuser例程。
像其他任何饼干一样 - 有些人可以在浏览器中坐着一年更多 - 并不重要。如果cookie已过期,则用户只需再次登录即可。
实际上,如果使用标准登录控件,通常会看到此设置:
所以,单击记住我将保存cookie。如果您不这样做,那么在大多数情况下,您下次来该网站时必须重新使用。但是,浏览器通常可以并且会根据您无法控制的用户浏览器设置为您记住这些信息 - 在您的控件的侧面。
它甚至都不是可实现的问题 - 如果删除用户,则SQL身份验证提供程序代码运行 - (在这种情况下,FBA将尝试运行Getuser)。获取用户是此代码存根:
因此,如果删除用户,则下一个帖子“ getuser”将失败,它们将被重新指导回您的登录页面。
我不相信您可以做上述。每个站点都可以使用它自己的登录饼干 - 您不能仅仅将其作为另一个网站URL将其传递给它 - 我所知。并且用户将需要有效的登录,如上所述,每次都会调用Getuser -Web浏览器必须传递登录信息 - 如果不匹配,则再次将其定向到登录页面。
At the end of the day, you really can't change how this works - so, the answers here actually don't help you much - but lets take them one a at a time anyway:
the information is stored in the browser side.
When you do ANY post back, that cookie is sent - and EVERY post back you run or do will cause a number of sql provider routines to run - including "GetUser()"
So, EVERY post back will use and run the the GetUser routine.
Like any other cookie - some can sit around in the browser for MORE then a year - don't really matter. If the cookie was expired, the user would simply have to login again.
In fact, you often see this setting if you using the standard login control:
So, clicking remember me will save the cookie. If you don't, then in most cases you have to re-login the next time you come to the site. However, browsers often can and will remember this information for you - out side of YOUR control - based on users browser settings which you don't have control over.
It not even a question of achievable - if you delete the user, then the sql authentication providers code runs - (in this case FBA, it will try to run GetUser). Get user is this code stub:
So, if you delete the user, then next post back, "GetUser" will fail, and they will be re-directed back to your logon page.
I don't believe you can do the above. Each site gets it own logon cookie - you can't just take it and pass it off as another site url - that don't work to my knowledge. And the user will require a valid logon, and as noted, the GetUser gets called every time - the web browser will have to passed the logon information - and if it don't match, then again, you get directed to the logon page.