使用Cookie自动登录在asp.net（自定义登录）用户 [英] Using cookies to auto-login a user in asp.net (custom login)

问题描述

我无法找到我要找的，因此任何帮助将是AP preciated净。
我实现了一个自定义登录形式，其中用户输入自己的电子邮件地址和密码登录，然后我用这些凭据查询数据库（密码哈希和盐渍），如果两者都找到，然后我存储用户名中的会话状态。如果用户关闭浏览器，然后在会话丢失，所以他将不得不重新登录。
我学习了如何使用Cookie来实施记住我的功能，但我不知道我应该怎么在cookie被存储在自动登录过程，以确保安全。

i can't find on the net what i'm looking for so any help would be appreciated. I have implemented a custom login form where the user enters his email and password to log in. I then query the database with those credentials (password is hashed and salted) and if both are found then i store the UserID in the Session state. If the user closes the browser then the Session is lost so he would have to log in again. I learned about using cookies to implement the "Remember me" functionality but i don't know what should i be storing in the cookie for the auto-login process and to make it secure.

PS：我知道一个cookie是什么以及它是如何工作的。我也知道，存储在cookie中的用户凭据（电子邮件+密码）是不明智的。 我使用asp.net 4.0使用C＃

PS: I know what a cookie is and how it works. I also know that storing the user credentials (email + password) in a cookie is NOT advised. I'm using asp.net 4.0 with C#

其实我正在寻找使用cookie自动登录系统背后的逻辑。

Actually i'm looking for the logic behind the auto-login system using cookies.

谢谢！

推荐答案

您应该使用的 FormsAuthentication 设置Cookie：

You should just use FormsAuthentication to set the cookie:

FormsAuthentication.SetAuthCookie(theUserID, true); 

和再赚回来：

string userId = HttpContext.Current.User.Identity.Name;

如果你担心安全，你只能使用安全cookie考虑（你将只能通过HTTPS读取cookie中）。

If you are worried about security, you can consider only using secure cookies (you will only be able to read that cookie over https).

有是在一个相关帖子更多这方面的信息：<一href=\"http://stackoverflow.com/questions/14629346/manual-access-control-in-asp-net/14630156#14630156\">Manual在ASP.NET的访问控制

There's more info on this in a related post: Manual Access control in ASP .Net

更新：根据您的意见，你不认为你可以设置您的自定义登录表单的窗体身份验证cookie。所以，我创建了一个空白的ASP.NET 4项目中，我创建了一个自定义登录 - 它会记录任何未认证的用户。这里有三个部分：

Update: According to your comment, you don't think you can set a Forms Authentication cookie in your custom login form. So I created a blank ASP.NET 4 project, where I created a custom login -- it will log in any unauthenticated user. Here are the three pieces:

的的web.config （你的项目应该有类似的东西，因为你有你的网站上的表单，人们登录）：

The web.config (your project should have something similar since you have a form on your site where people login):

<authentication mode="Forms"></authentication>

在code前：

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="default.aspx.cs" Inherits="emptyWebApp._default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Example</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
     Username: <asp:Label ID="_username" runat="server"></asp:Label>
    </div>
    </form>
</body>
</html>

在code背后：

The code behind:

using System;
using System.Web;
using System.Web.Security;

namespace emptyWebApp
{
    public partial class _default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                _username.Text = HttpContext.Current.User.Identity.Name;
            }
            else
            {
                _username.Text = "Not logged in";
                FormsAuthentication.SetAuthCookie("CookieMan", true);
            }
        }
    }
}

正如你所看到的，你可以通过设置身份验证Cookie FormsAuthentication.SetAuthCookie 在自定义的认证功能，即使是不合理的了。

As you can see, you can set an Authentication cookie using FormsAuthentication.SetAuthCookie in your own custom authentication function, even one as irrational as this.

在这种情况下，第一次他们打的页面，它会显示用户名：在尚未登录，然后它会在记录他们为CookieMan。刷新页面将显示用户名：CookieMan

In this case, the first time they hit the page, it will show Username: Not logged in and then it will log them in as "CookieMan". Refreshing the page will show Username: CookieMan.

这篇关于使用Cookie自动登录在asp.net（自定义登录）用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！