如何找出客户是我的客户? [英] How to find out that the client is my customer?
问题描述
你好专家
这是一个场景。我的项目是一个简单的项目,它可以是桌面应用程序;但是因为它应该在整个城市超过8个站点运行,并且它们必须连接到同一个数据库,我决定开发一个Asp.Net应用程序。
主要问题是客户问我,除了我的工作人员外,任何人都不应该看到登录网页。
我能想到的唯一方法是获得一个独特的从他们的计算机上验证密钥。
即使可能,我也不知道!
有什么建议吗?
祝大家好运
您可以放心使用实际的硬件标识符。您可以使用智能卡或生物识别。请参阅以下文章: http://www.atgi。 com / dist /实施%20Smart%20Card%20Authentication%20和%20Authorization%20with%20ASP.NET.pdf [ ^ ],http://www.sharepointsecurity.com/sharepoint/sharepoint-development/biometric-authentication-for-sharepoint/ [ ^ ]。但这些都是相当复杂的方法,而且依赖于平台。
但是你有一个在客户端非常独立于平台的选项:使用客户端证书。请参阅此内容: http://support.microsoft.com/kb/315588 [ ^ ]。
您无法获取有关的信息客户端计算机很容易 - 这是可能的,但它会打开安全漏洞,以后很难插入。
更好的方法是向每个人发送电子邮件授权用户,其中包含点击此处链接,指向您网站上的硬件验证页面。如果链接包含您在数据库中检查的查询字符串(每个用户使用不同的Guid),如果它是正确的但尚未使用,则将授权cookie写入客户端计算机。然后检查正常网站中的cookie,如果确定,则显示登录屏幕或将其视为已登录。
听起来很复杂 - 但它不是'吨。电子邮件链接只是一个带有查询字符串的标准HTML HREF:
< a href = http://MyDomain.com/validation.html?id=9dcb491f-0edc-46d7-bc5a-6994416179a7 > 点击此处验证< / a >
在页面中,您所要做的就是阅读查询,检查它反对你的数据库并写一个cookie。 Simples!
Hello Experts
Here is a scenario. My Project is a simple project that it could be Desktop Application; But because it should run in more than 8 station all over the city and they must connect to a same database I decided to develop an Asp.Net Application.
The main problem is that the customer asked me that no body should see even the log in webpage except my personnel.
The only way I can think about, is to get a unique key from their computers to authenticate them.
I do not know even if it is possible!
Any suggestion?
Good luck everyone
There is no actual hardware identifier you could use with confidence. You could use a smartcard or biometric identification. See these articles: http://www.atgi.com/dist/Implementing%20Smart%20Card%20Authentication%20and%20Authorization%20with%20ASP.NET.pdf[^], http://www.sharepointsecurity.com/sharepoint/sharepoint-development/biometric-authentication-for-sharepoint/[^]. But these are quite complicated approaches, are rather platform-dependent.
But you have an option that is quite platform-independent on client side: using client side certificates. See this for the start: http://support.microsoft.com/kb/315588[^].
You can't get info about the client computer easily - it is possible, but it opens up security holes which it's difficult to plug up afterwise.
A better approach would be to send an email to each authorised user which contains a "click here" link to a "hardware validation" page on your site. If the link contains a query string which you check in your DB (a different Guid per user is good) and if it is correct and not used yet, writes an authorisation cookie to the client computer. You then check the cookie in your "normal" website and if ok, show the login screen or just treat them as logged in.
Sounds complex - but it isn't. The email link is just a standard HTML HREF with a query string:
<a href="http://MyDomain.com/validation.html?id=9dcb491f-0edc-46d7-bc5a-6994416179a7">Click here to validate</a>
In the page, all you have to do is read the query, check it against your DB and write a cookie. Simples!
这篇关于如何找出客户是我的客户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
