自动注销取消授权的用户 [英] Auto log out for de-authorized users

问题描述

嘿，



几天前我问了一个类似的问题，但我没有看到与描述相同的效果。



基本上，我使用ASP进行表单身份验证。我使用会员提供商管理用户，但它已被广泛定制。



用户可能在登录时删除了权限。我是尽快推出它们。



我在我的应用程序中使用signalr，现在我检查每个集线器查询的用户权限。授权失败导致客户端导航到一个记录它们的页面（带有严厉措辞的消息让他们知道他们已被踢出）。



我有假设，并被告知，当用户在失去授权后导航到新页面时，asp会再次检查用户权限。它没有。



我是否必须在每个页面添加支票或是否有我缺少的设置？



欢迎任何建议^ _ ^



谢谢

Andy



我尝试了什么：



我使用信号器进行SPA检查授权，因此在大多数情况下，效果就是我的应用程序，但我的同事大多使用页面导航来控制工作流程而不使用SignalR。



我们可以检查每个页面加载的授权，但我听说过这是自动完成的。是否有设置或简单的应用程序范围修复？

解决方案

使用表单身份验证时，唯一为每个请求验证的是cookie包含有效的表单身份验证票证并且票证尚未过期。



如果要检查票证是否仍然代表会员店中的有效用户，则需要添加该票据对每个请求。最简单的解决方案可能是使用自定义 IHttpModule ：

  public   sealed   class  MembershipValidationModule：IHttpModule 
 {
  public   void  Dispose（）
 {
} 
 
  public   void  Init（HttpApplication context）
 {
  if （context ==  null ） throw   new  ArgumentNullException（ nameof （context））; 
 
 context.PostAuthenticateRequest + =（s，e）= >  
 {
  var  app = s  as  HttpApplication; 
  if （app？.Context！=  null ）
 {
 OnAuthenticated（ new  HttpContextWrapper（app.Context））; 
} 
}; 
} 
 
  private   static   void  OnAuthenticated（[NotNull] HttpContextBase context）
 {
  if （IsFormsAuthenticated（context.User））
 {
  var  user = Membership.GetUser（）; 
  if （user ==  null  ||！user.IsApproved）
 { 
 FormsAuthentication.SignOut（）; 
 context.User =  null ; 
} 
} 
} 
 
  private   static   bool  IsFormsAuthenticated（IPrincipal用户）
 {
  if （user = =  null  ||！user.Identity.IsAuthenticated） return  假; 
  return   string  .Equals（user.Identity.AuthenticationType，  Forms，StringComparison.OrdinalIgnoreCase）; 
} 
} 

 <  < span class =code-leadattribute> configuration  >  
 <   system.webServer  >  
 <  验证    validateIntegratedModeConfiguration   =  false  /  >  
 
 <   modules  < span class =code-keyword>>  
 <   add   
   
                                   name   =  MembershipValidationModule  
   
                  < span class =code-attribute>                 preCondition   =  managedHandler  
   
                                   type   =  YourNamespace.MembershipValidationModule，YourAssembly  
   
                           /  >  
 <   / modules  >  
 <   / system.webServer  >  
 <   / configuration  > ;  

Hey,

I asked a similar question a couple of days ago, but I don't see the same effect as described.

Essentially, I use ASP with form authentication. I manage users with a membership provider, but it has been pretty extensively customized.

It is possible that a user might have permissions removed whilst they are logged in. I was to kick them out asap.

I use signalr in my apps, and I now check the user permissions on each and every hub query. Authorization failure caused the client to navigate to a page that logs them out (with a harshly worded message letting them know that they've been kicked out).

I had assumed, and was informed that, when the user navigates to a new page after losing authorization that asp would check the users permissions again. It doesn't.

Do I have to add checks into each page or is there a setting I'm missing?

Any advice is welcome ^_^

Thanks
Andy

What I have tried:

I use Signalr for SPAs which checks authorisation so in most cases the effect is there for my apps, but my colleagues mostly use page navigation to control workflow and don't use SignalR.

We can check authorisation on every page load, but I has heard that this is done automagically. Is there a setting or a simple app wide fix?

解决方案

With forms authentication, the only thing that's validated for each request is that the cookie contains a valid forms authentication ticket, and that the ticket has not expired.

If you want to check that the ticket still represents a valid user in your membership store, then you need to add that check to each request. The simplest solution is probably to use a custom IHttpModule:

public sealed class MembershipValidationModule : IHttpModule
{
    public void Dispose()
    {
    }

    public void Init(HttpApplication context)
    {
        if (context == null) throw new ArgumentNullException(nameof(context));

        context.PostAuthenticateRequest += (s, e) =>
        {
            var app = s as HttpApplication;
            if (app?.Context != null)
            {
                OnAuthenticated(new HttpContextWrapper(app.Context));
            }
        };
    }

    private static void OnAuthenticated([NotNull] HttpContextBase context)
    {
        if (IsFormsAuthenticated(context.User))
        {
            var user = Membership.GetUser();
            if (user == null || !user.IsApproved)
            {
                FormsAuthentication.SignOut();
                context.User = null;
            }
        }
    }

    private static bool IsFormsAuthenticated(IPrincipal user)
    {
        if (user == null || !user.Identity.IsAuthenticated) return false;
        return string.Equals(user.Identity.AuthenticationType, "Forms", StringComparison.OrdinalIgnoreCase);
    }
}

<configuration>
    <system.webServer>
        <validation validateIntegratedModeConfiguration="false"/>
        
        <modules>
            <add

                name="MembershipValidationModule"

                preCondition="managedHandler"

                type="YourNamespace.MembershipValidationModule, YourAssembly"

            />
        </modules>
    </system.webServer>
</configuration>

这篇关于自动注销取消授权的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！