的FormsAuthenticationTicket使用用户数据仍然可读加密后(asp.net MVC3与窗体身份验证。) [英] FormsAuthenticationTicket Userdata still readable after encryption (asp.net MVC3 with forms Auth.)
问题描述
林建设有新的ASP.NET MVC3框架,一个网站和使用FormsAuth。用于固定该网站。我存储在的FormsAuthenticationTicket,(手动设置cookie)的财产的UserData用户的角色,然后我打电话机票上的加密方法,将其添加到cookie之前(见下文标准票sniplet)。
Im building a website with the new ASP.NET MVC3 framework and using FormsAuth. for securing the website. I'm storing the role of a user in the UserData property of the FormsAuthenticationTicket, (setting the cookie manually), I then call the encrypt method on the ticket before adding it to the cookie(see below a Standard ticket sniplet).
if (Validate(model.UserName, model.Password))
{
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
model.UserName,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
UserType.Administrator.ToString());
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(faCookie);
return RedirectToAction("startpage", "mycontroller");
}
}
现在我做了一个自定义的AuthorizeAttribute那能检查,如果用户是1经过身份验证和2拥有管理角色(从售票)。 (下面)
这个派生类的AuthorizeCore方法将被调用当一个动作发生在地方具有属性annotion一类。
Now I've made a custom AuthorizeAttribute thats able to check if the user is 1. authenticated and 2. has the admin role (from the ticket). (below) The AuthorizeCore method of this derived class will be called when an action takes places in a class that has the attribute annotion.
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = httpContext.Request.Cookies[cookieName];
if (authCookie == null)
return false;
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket.UserData != UserType.Administrator.ToString())
return false;
return true;
这就是一个IM感到困惑。
So here's where im getting confused.
当我按照code正在执行(以有效凭据,调试),并检查每一行作出的变量的值,则加密的encryptedTicket它添加到reponsecookie之前就好了。
When I follow the code being executed (with valid credentials, in debug), and check the values of the variables made on each line, the encryptedTicket encrypts just fine before adding it to the reponsecookie.
但是,当我然后检查AuthorizeCore方法时(索引页)的控制器被调用,其获得的HttpContext的参数,包含一切未加密的车票,因此,没有必要进行解密的车票时不再读的cookie。
But when I then check the AuthorizeCore method when the controller (of the index page) is being called, the parameter its getting, the HttpContext, contains the ticket with everything unencrypted, so there is no need to decrypt the ticket anymore when reading the cookie.
为什么我看到成功地在登录控制器,我把它发送回客户端被加密的车票,但后来当我再次所有的加密接收的AuthorizeAdministrator类的HttpContext。
Why do I see the ticket succesfully being encrypted in the logon controller where I send it back to the client, but then when I receive the httpcontext in the AuthorizeAdministrator class its all unencrypted again.
对不起,长的问题/故事,有可能是它的简单和简短的回答。
希望我的故事是明确的。
Sorry for the long question/story, there's probably a simple and short answer for it. Hope my story is clear.
感谢。
推荐答案
表单权威性需要在页处理管线早期解密的cookie,以确定是否用户被授权 - 时,它在对用户的信息填满这。身份等。
Forms auth needs to decrypt the cookie early in the page processing pipeline, to determine if the user is authorized -- that's when it fills in the details for User.Identity, etc.
这篇关于的FormsAuthenticationTicket使用用户数据仍然可读加密后(asp.net MVC3与窗体身份验证。)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
