AuthorizeFilter和Authentication方法如何在后台运行? [英] How do the AuthorizeFilter and Authentication methods work under the hood?
问题描述
我想简要地了解一下授权过滤器和FormAuthentication.SetAuthCookie的工作原理.读了一些有关该语言的书后,我发现这是唯一的模棱两可.
I would like to understand briefly how the authorize filter and FormAuthentication.SetAuthCookie work under the hood. It's the only thing I find ambiguous after reading some books on the language.
我不明白授权过滤器如何知道要查找的位置.那么FormsAuthenticationTicket VS FormAuthentication呢? Cookie是最安全的方法,我的意思是我确定可以从浏览器中导出Cookie并在其他地方使用它.
I don't understand how the authorize filter knows where to look. And what about FormsAuthenticationTicket VS FormAuthentication ? And is cookie the most secure way, I mean I'm sure it's possible to export the cookie from a browser and use it somewhere else..?
推荐答案
您可能会找到如果您对授权"过滤器的详细工作方式感兴趣,可以查看源代码:
If you're interested in how the Authorize filter works in more detail you can review the source code: AuthorizeAttribute
简而言之,Authorize筛选器将通过检查HttpContext.User.Identity.IsAuthenticated属性来检查用户是否已通过身份验证.在表单身份验证的情况下,User属性将由FormsAuthenticationModule设置.
Briefly the Authorize filter will check whether the user has been authenticated by checking the HttpContext.User.Identity.IsAuthenticated property. The User property will have been set by the FormsAuthenticationModule in the case of Forms Authentication.
FormsAuthentication.SetAuthCookie方法为经过身份验证的用户创建票证(假设该用户提供了正确的凭据),并将其添加到响应的cookie集合中.另外,如果需要,可以将模块配置为使用无cookie身份验证,但是仍将随每个HTTP请求一起发送加密的票证.无论哪种方式,客户端(浏览器)都需要一种方法来告知服务器所请求的请求已通过身份验证.
The FormsAuthentication.SetAuthCookie method creates a ticket for the authenticated user (assuming the user has provided the correct credentials) and adds it to the cookies collection of the response. Alternatively the module can be configured to use cookieless authentication if you want but the encrypted ticket is still sent with each HTTP request. Either way the client (browser) needs a way of telling the server that the requested is authenticated.
关于您对安全性的担忧,在此问题中,有一些想法.
Regarding your concerns over security there are some ideas in this question.
这篇关于AuthorizeFilter和Authentication方法如何在后台运行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
