在远程计算机上使用loginurl进行表单身份验证 [英] forms authentication with loginurl on a remote machine
本文介绍了在远程计算机上使用loginurl进行表单身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在制作一个网络应用程序(而不是两个应用程序),一个是主机
并且当客户刚刚浏览时使用它们产品。
第二个应用程序驻留在安全的服务器上。这将为客户持有所有
帐户相关信息,也将用于
admin
登录是使用表单身份验证实现,我只是在阅读
起来......但是每个人都已经知道......它们全都散落了...... b $ b到处都是...
now
< forms name =" CUSTOM.ASPXAUTH"
loginurl =" http://mysecuresever/myapplication/login.aspx" />
如果它是一台远程机器,它会被提到几个地方...而不是本地机器它们应该有相同的解密密钥。 />
对decryptionkey进行了搜索,发现:
本文介绍如何创建用于加密,解密,
和验证的密钥表单身份验证cookie数据。您可以使用本文中创建的密钥
来获取< machineKey>的validationKey和decryptionKey
属性。 < system.web>中的部分
Machine.config和Web.config文件中的元素。
现在我的问题是,如果我确实在< system下创建了机器密钥。网页>
并指定了密钥....然后我可以使用
两台机器上设置的cookie吗?
ie我可以在我的app1上使用它来检查客户端是否已登录并且可以在app2(在安全服务器上)使用相同的cookie来显示客户
相关信息?
所有这些都搞砸了....如果有人能帮助我一个朝向正确方向的半个体面步骤会很棒
-
问候,
HD
Hi,
I am making a web application (rather two applications) one which is host
and used by customers when they are just browsing through products.
The second application resides on a secure server. This is going to hold all
account related information for the customers and will also be used for
admin
The login is implemented using forms authentication and i was just reading
up about that... but as everyone already knows.... its all scattered
everywhere...
now
<forms name="CUSTOM.ASPXAUTH"
loginurl="http://mysecuresever/myapplication/login.aspx" />
it is mentioned a couple of places that if it is a remote machine... and not
a local machine they should have the same decryption key.
did a search on decryptionkey and found:
This article describes how to create keys to use for encryption, decryption,
and validation of Forms authentication cookie data. You can use the keys
that you create in this article for the validationKey and the decryptionKey
attributes of the <machineKey> section in the <system.web> element in the
Machine.config and the Web.config files.
now my question is that if i did create the machine key under <system.web>
and specified the keys.... would i then be able to use the cookie set on
both the machines ?
ie can i use it on my app1 to check whether the client is logged in and can
i in app2 (on secure server) use the same cookie for showing customer
related information ?
all this is so messed up.... would be great if someone could help get me a
half decent step in right direction
--
Regards,
HD
推荐答案
Hi Hermit,
感谢您使用Microsoft新闻组服务。根据您的描述。
您已经构建了两个ASP.NET Web应用程序(它们是逻辑上一个Web
应用程序的一部分)。由于您使用了表单身份验证并且
登录页面位于一台服务器上,因此您需要其他Web应用程序(在另一台服务器上)
共享身份验证cookie和常见cookie信息由登录设置
网络应用程序。我对你的问题的理解是否正确?
对于这个问题,它属于多宿主Web应用程序,例如
web farm情况。一般在ASP.NET Web应用程序中设置所有数据
并通过Response.Cookie或Request.Cookie检索使用
某些密钥加密,密钥可以是在MachineKey中设置
web.config或machine.config文件中的元素。此外,FormAuthentication的身份验证cookie
是自动检查和生成的,如果你想要
使它们成为身份并在不同的asp.net web应用程序中共享,那么'设置以下功能所需的
:
1. Cookie名称:asp.net运行时将检索身份验证
$ b通过此名称$ b cookie,它在表单中设置web.config中的元素为
以下:
< forms loginUrl =" login.aspx"名称= QUOT; formsauth1"超时= QUOT; 60"路径= QUOT; /" >
< credentials passwordFormat =" Clear">
< user name =" username"密码="密码" />
< / credentials>
< / forms>
2.另外,"路径"属性也很重要,但您可以保留
默认值/这样认证cookie
将被发送到每个网络应用程序。
3.机器密钥。我们也可以在web.config中覆盖它:
< machineKey validationKey ="你自定义键 decryptionKey ="您自定义密钥
validation =" SHA1" />
如果多个应用程序使用相同的显式值
< machineKey> element,从一个
应用程序发送的身份验证cookie被另一个应用程序成功解密。
有关上述功能的更多信息,您可以参考MSDN中的技术文章
:
表单身份验证请求未定向到loginUrl页面
http://support.microsoft.com/?id=313116
创建使用Visual C#.NET键在表单身份验证中使用
http:/ /support.microsoft.com/?id=312906
托管多个Web应用程序
http://msdn.microsoft.com/library/de...us/dnnetsec/ ht
ml / thcmch20.asp
如果您对此有任何疑问,请感受fre e让我知道。
Steven Cheng
微软在线支持
安全! www.microsoft.com/security
(此帖子按原样提供,不作任何保证,并且不授予
权利。)
Hi Hermit,
Thank you for using Microsoft Newsgroup Service. Based on your description.
You''ve build two ASP.NET web applications(they a part of one web
application logically). Since you used the form authentication and the
login page is on one server, you want the other web app(on another server)
shared the authentication cookie and common cookie info set by the login
web app. Is my understanding of your problem correct?
For this problem, it belongs to the Multi hosting Web applications such as
web farm situation. Generally in ASP.NET web application all the datas set
and retrieve via Response.Cookie or Request.Cookie are encrypted using a
certain key, the key is able to be set in the "MachineKey" element in the
web.config or machine.config file. In addition, the authentication cookie
for the FormAuthentication is auto checked and generated, if you want to
make them identity and shared in different asp.net web application, it''s
necessary to set the following features:
1. The Cookie name: The asp.net runtime will retrieve the authentication
cookie via this name, it is set in the "forms" element in web.config as
below:
<forms loginUrl="login.aspx" name="formsauth1" timeout="60" path="/" >
<credentials passwordFormat="Clear">
<user name="username" password="password"/>
</credentials>
</forms>
2. also, the "path" attribute is also important, but you can remain the
default value "/" so that the authentication cookie
will be sent to each web app.
3. the Machine key. We can also override this in web.config:
<machineKey validationKey="You custom key" decryptionKey="You custom key"
validation="SHA1" />
If multiple applications use identical, explicit values for the
<machineKey> element, an authentication cookie that is sent from one
application is decrypted by another application successfully.
For more information on the above features, you can refer the tech articles
in MSDN:
Forms Authentication Requests Are Not Directed to loginUrl Page
http://support.microsoft.com/?id=313116
Create Keys by Using Visual C# .NET for Use in Forms Authentication
http://support.microsoft.com/?id=312906
Hosting Multiple Web Applications
http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/thcmch20.asp
If you have any questions on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Steven,
感谢您的写作。请稍微阅读,因为我明天有70-315
但我会在未来几天尝试一下。
但有一件事 - 配置文件是否需要有用户信息和
密码格式是否必须是明文?
将查找文章和非常感谢,
HD
" Steven Cheng [MSFT]" <,V - ****** @ online.microsoft.com>在消息中写道
news:py ************** @ cpmsftngxa07.phx.gbl ...
Steven,
Thanks for writing in. Gotta read up a bit cause i have an 70-315 tomorrow
but i will give it a try some time in coming days.
One thing though - is it necessary for the config file to have user info and
does the passwordFormat have to be cleartext ?
Will look up the articles and thanks a lot,
HD
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:py**************@cpmsftngxa07.phx.gbl...
Hi Hermit,
感谢您使用Microsoft新闻组服务。根据您的
说明。您已经构建了两个ASP.NET Web应用程序(它们逻辑上是一个Web应用程序的一部分)。由于您使用了表单身份验证并且
登录页面位于一台服务器上,因此您希望其他Web应用程序(在另一台服务器上)共享身份验证cookie和登录设置的常见cookie信息
网络应用。我对你的问题的理解是否正确?
对于这个问题,它属于多宿主Web应用程序,例如web farm情况。通常在ASP.NET Web应用程序中,通过Response.Cookie或Request.Cookie设置的所有数据集和检索都是使用某个密钥加密的,该密钥可以在MachineKey中设置。
web.config或machine.config文件中的元素。此外,FormAuthentication的身份验证cookie
会自动检查并生成,如果您想在不同的asp.net Web应用程序中使它们成为身份并共享,那么它是必要的。设置以下功能:
1. Cookie名称:asp.net运行时将通过此名称检索身份验证
cookie,它在表单中设置。 web.config中的元素如下:
< forms loginUrl =" login.aspx"名称= QUOT; formsauth1"超时= QUOT; 60"路径= QUOT; /" >
<凭据passwordFormat ="清除">
<用户名="用户名"密码="密码" />
< / credentials>
< / forms>
2.还有,路径属性也很重要,但您可以保留
默认值/以便将身份验证cookie
发送到每个Web应用程序。
3.机器密钥。我们也可以在web.config中覆盖它:
< machineKey validationKey ="你的自定义键" decryptionKey ="您自定义密钥"
validation =" SHA1" />
如果多个应用程序对
< machineKey>使用相同的显式值。 element,从一个
应用程序发送的身份验证cookie被另一个应用程序成功解密。
有关上述功能的更多信息,您可以参考MSDN中的tech
文章:
表单身份验证请求未定向到loginUrl页面
http://support.microsoft.com/?id=313116
使用Visual C#.NET创建密钥以在表单身份验证中使用
http://support.microsoft.com/?id=312906
<主持多个Web应用程序
http://msdn.microsoft.com/library/de...us/dnnetsec/ht ml / thcmch20.asp
如果您有任何疑问它,请随时让我知道。
Steven Cheng
Mi crosoft在线支持
获得安全! www.microsoft.com/security
(此帖已提供按原样,没有保证,也没有赋予
权利。)
Hi Hermit,
Thank you for using Microsoft Newsgroup Service. Based on your description. You''ve build two ASP.NET web applications(they a part of one web
application logically). Since you used the form authentication and the
login page is on one server, you want the other web app(on another server)
shared the authentication cookie and common cookie info set by the login
web app. Is my understanding of your problem correct?
For this problem, it belongs to the Multi hosting Web applications such as
web farm situation. Generally in ASP.NET web application all the datas set
and retrieve via Response.Cookie or Request.Cookie are encrypted using a
certain key, the key is able to be set in the "MachineKey" element in the
web.config or machine.config file. In addition, the authentication cookie
for the FormAuthentication is auto checked and generated, if you want to
make them identity and shared in different asp.net web application, it''s
necessary to set the following features:
1. The Cookie name: The asp.net runtime will retrieve the authentication
cookie via this name, it is set in the "forms" element in web.config as
below:
<forms loginUrl="login.aspx" name="formsauth1" timeout="60" path="/" >
<credentials passwordFormat="Clear">
<user name="username" password="password"/>
</credentials>
</forms>
2. also, the "path" attribute is also important, but you can remain the
default value "/" so that the authentication cookie
will be sent to each web app.
3. the Machine key. We can also override this in web.config:
<machineKey validationKey="You custom key" decryptionKey="You custom key"
validation="SHA1" />
If multiple applications use identical, explicit values for the
<machineKey> element, an authentication cookie that is sent from one
application is decrypted by another application successfully.
For more information on the above features, you can refer the tech articles in MSDN:
Forms Authentication Requests Are Not Directed to loginUrl Page
http://support.microsoft.com/?id=313116
Create Keys by Using Visual C# .NET for Use in Forms Authentication
http://support.microsoft.com/?id=312906
Hosting Multiple Web Applications
http://msdn.microsoft.com/library/de...us/dnnetsec/ht ml/thcmch20.asp
If you have any questions on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Hermit,
感谢您的回复。至于FormAuthentication,它提供了一些
buildin授权,例如
alow =" *"
deny ="?"或明确指定一些用户名。但是我总是认为你
可以生成一个自定义数据库来存储用户
账户信息,并且可以手动进行用户检查和授权。
和as对于密码发送的格式,通常这种认证模式是bb b,基本认证,表格认证等。需要客户端提供用户凭证(密码)的所有凭证都以明文
文本(由base64编码)发送。因此,如果您使用这种身份验证模式,建议您在客户端和服务器之间的数据传输上使用一些安全保护,例如,SSL ;。
另外,我已经在Formauthentication上查看了MSDN,发现了一些主要针对FormAuthentication的
文章,这里有一篇这确认了我们在前面的消息中讨论的问题:
#Forms跨应用程序的身份验证
http://msdn.microsoft.com/library/en...sauthenticatio
nacrossapplications.asp?frame = true
#FormAuthentication上的主要内容
http://msdn.microsoft.com/library/en...ookieauthentic
ati onprovider.asp?frame = true
请查看以上建议,了解它们是否有用。如果您有任何问题,请随时告诉我。
Steven Cheng
Microsoft在线支持
安全! www.microsoft.com/security
(此帖子按原样提供,不作任何保证,并且不授予
权利。)
Hi Hermit,
Thanks for your response. As for the FormAuthentication, it provides some
buildin authorization such as
alow="*"
deny="?" or explicitly specify some user names. However I always think you
can generate a custom database for storing user
account infos and do the user checking and authorization mannually.
And as for the format the password sent, normally such authentication mode
as "Base authentication", "form authentication" which need the client to
provide user credentials(passwords) all send the credentials in clear
text(encoded by base64). So if you use such authentication mode, it is
recommended that you use some security protection on the datas transfers
between the client and server, for example, the "SSL".
In addition, I''ve reviewd the MSDN on the Formauthentication and found some
articles mainly aimed at "FormAuthentication", here is one which confirms
the problem we discussed in the former messages:
#Forms Authentication Across Applications
http://msdn.microsoft.com/library/en...sauthenticatio
nacrossapplications.asp?frame=true
#the main topic on FormAuthentication
http://msdn.microsoft.com/library/en...ookieauthentic
ationprovider.asp?frame=true
Please check out the above suggestion to see whether they are helpful. If
you have any questions , feel free to let me know.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
这篇关于在远程计算机上使用loginurl进行表单身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
