使用Cookie自动登录在asp.net(自定义登录)用户 [英] Using cookies to auto-login a user in asp.net (custom login)
问题描述
我无法找到我要找的,因此任何帮助将是AP preciated净。
我实现了一个自定义登录形式,其中用户输入自己的电子邮件地址和密码登录,然后我用这些凭据查询数据库(密码哈希和盐渍),如果两者都找到,然后我存储用户名中的会话状态。如果用户关闭浏览器,然后在会话丢失,所以他将不得不重新登录。
我学习了如何使用Cookie来实施记住我的功能,但我不知道我应该怎么在cookie被存储在自动登录过程,以确保安全。
i can't find on the net what i'm looking for so any help would be appreciated. I have implemented a custom login form where the user enters his email and password to log in. I then query the database with those credentials (password is hashed and salted) and if both are found then i store the UserID in the Session state. If the user closes the browser then the Session is lost so he would have to log in again. I learned about using cookies to implement the "Remember me" functionality but i don't know what should i be storing in the cookie for the auto-login process and to make it secure.
PS:我知道一个cookie是什么以及它是如何工作的。我也知道,存储在cookie中的用户凭据(电子邮件+密码)是不明智的。 我使用asp.net 4.0使用C#
PS: I know what a cookie is and how it works. I also know that storing the user credentials (email + password) in a cookie is NOT advised. I'm using asp.net 4.0 with C#
其实我正在寻找使用cookie自动登录系统背后的逻辑。
Actually i'm looking for the logic behind the auto-login system using cookies.
谢谢!
推荐答案
您应该使用的 FormsAuthentication 设置Cookie:
You should just use FormsAuthentication to set the cookie:
FormsAuthentication.SetAuthCookie(theUserID, true);
和再赚回来:
string userId = HttpContext.Current.User.Identity.Name;
如果你担心安全,你只能使用安全cookie考虑(你将只能通过HTTPS读取cookie中)。
If you are worried about security, you can consider only using secure cookies (you will only be able to read that cookie over https).
有是在一个相关帖子更多这方面的信息:<一href=\"http://stackoverflow.com/questions/14629346/manual-access-control-in-asp-net/14630156#14630156\">Manual在ASP.NET的访问控制
There's more info on this in a related post: Manual Access control in ASP .Net
更新:根据您的意见,你不认为你可以设置您的自定义登录表单的窗体身份验证cookie。所以,我创建了一个空白的ASP.NET 4项目中,我创建了一个自定义登录 - 它会记录任何未认证的用户。这里有三个部分:
Update: According to your comment, you don't think you can set a Forms Authentication cookie in your custom login form. So I created a blank ASP.NET 4 project, where I created a custom login -- it will log in any unauthenticated user. Here are the three pieces:
的的web.config
(你的项目应该有类似的东西,因为你有你的网站上的表单,人们登录):
The web.config
(your project should have something similar since you have a form on your site where people login):
<authentication mode="Forms"></authentication>
在code前:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="default.aspx.cs" Inherits="emptyWebApp._default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Example</title>
</head>
<body>
<form id="form1" runat="server">
<div>
Username: <asp:Label ID="_username" runat="server"></asp:Label>
</div>
</form>
</body>
</html>
在code背后:
The code behind:
using System;
using System.Web;
using System.Web.Security;
namespace emptyWebApp
{
public partial class _default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
_username.Text = HttpContext.Current.User.Identity.Name;
}
else
{
_username.Text = "Not logged in";
FormsAuthentication.SetAuthCookie("CookieMan", true);
}
}
}
}
正如你所看到的,你可以通过设置身份验证Cookie FormsAuthentication.SetAuthCookie
在自定义的认证功能,即使是不合理的了。
As you can see, you can set an Authentication cookie using FormsAuthentication.SetAuthCookie
in your own custom authentication function, even one as irrational as this.
在这种情况下,第一次他们打的页面,它会显示用户名:在
尚未登录,然后它会在记录他们为CookieMan。刷新页面将显示用户名:CookieMan
In this case, the first time they hit the page, it will show Username: Not logged in
and then it will log them in as "CookieMan". Refreshing the page will show Username: CookieMan
.
这篇关于使用Cookie自动登录在asp.net(自定义登录)用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!