我如何在请求早期失效不好的身份验证cookie？ [英] How do I invalidate a bad authentication cookie early in the request?

问题描述

我开发将在Windows Azure中托管的MVC应用程序。在开发过程中，我测试针对本地数据库和本地用户的会员服务。在生产中，应用程序关闭命中SQL Azure数据库和云托管用户的会员服务。

I develop an MVC application that will be hosted in Windows Azure. During development, I test against a local database and local user membership service. In production, the application hits off a SQL Azure database and a cloud-hosted user membership service.

有时我会登录到的本地的现场版本与用户帐户只的存在，我的本地机器上。如果我忘了退出，但切换我的机器上出的测试模式，做起事情来打破。

Sometimes I'll log in to the local version of the site with a user account that only exists on my local machine. If I forget to log out but switch my machine out of test mode, things start to break.

设置我的主机文件以指向 127.255.0.0 我的应用程序的URL，这样浏览器请求被处理在Azure模拟器本地。这也意味着我的测试应用程序和生产应用程序中使用相同的主机名 - 饼干一被视为有效的Cookie在其他

I set my hosts file to point my application URL at 127.255.0.0 so that browser requests are handled by the Azure emulator locally. This also means my test application and the production application use the same host name - cookies for one are seen as valid cookies for the other.

如果我登录到本地系统中，为域创建一个 ASPXAUTH 的cookie，并包含从我的本地系统的用户的凭据。如果我忘了注销并切换我的主机文件恢复正常（浏览器请求到现场应用程序），它发送相同的 ASPXAUTH cookie发送到服务器。

If I log in to my local system, an ASPXAUTH cookie is created for the domain and contains the credentials of the user from my local system. If I forget to log out and switch my hosts file back to normal (browser requests go to the live application), it sends the same ASPXAUTH cookie to the server.

由于此用户不存在于服务器上，仅在当地，像 Membership.GetUser（）。电子邮件的任何请求返回一个对象空例外。

Since this user doesn't exist on the server, only locally, any requests like Membership.GetUser().Email return an object null exception.

在理想情况下，我可以注入一些code请求早期检查用户是否存在。是这样的：

Ideally, I could inject some code early in the request to check that the user exists. Something like:

MembershipUser user = Membership.GetUser();
if(user == null) {
    FormsAuthentication.SignOut();
}

这将自动删除 ASPXAUTH 的cookie无效用户。但是，在我把它？我开始寻找我的控制器 - 他们都从 BaseController 类继承，但即使把在基控制器的构造函数这个code不是及早。我又看了看的Global.asax ，但我不知道哪个事件将是最好配合这一行动。

This will automatically remove the ASPXAUTH cookie for invalid users. But where do I put it? I started looking at my controllers - all of them inherit from a BaseController class, but even putting this code in the base controller's constructor isn't early enough. I also looked at Global.asax, but I'm not sure which event would be best to tie this action to.

另外，我甚至不知道这是做事的正确方法。如果没有，是什么，以确保验证cookie是一个有效的用户只需根据不同的会员上课前像我目前最好的方法是什么？

Also, I'm not even sure this is the right way to do things. If not, what is the best way to ensure that the authentication cookie is for a valid user before just depending on the membership class like I am currently?

推荐答案

您可以在您global.aspx处理以下事件：

You may handle the below event in you global.aspx:

public void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs args)
{ 
}

编辑：

在<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationeventhandler.aspx\"相对=nofollow>上述方法， Membership.GetUser（）将返回空，因为它从需要 HttpContext.Current.User.Identity.Name 属性的用户名和本次活动的用户尚未通过认证。上述方法是通过 FormsAuthenticationModule 的，当它被调用募集<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationmodule.authenticate.aspx\"相对=nofollow>甚至验证。您可以处理此事件，像这样：

In the above method, Membership.GetUser() will return null, since it takes the userName from HttpContext.Current.User.Identity.Name property and in this event the user has not yet been authenticated. The above method is invoked by FormsAuthenticationModule when it raised Authenticate even. You can handle this event like so:

public void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs args)
{
    if (FormsAuthentication.CookiesSupported &&
            Request.Cookies[FormsAuthentication.FormsCookieName] != null)
    {
        try
        {
            var formsAuthTicket = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value);

            MembershipUser user = Membership.GetUser(formsAuthTicket.Name);
            if (user == null)
            {
                FormsAuthentication.SignOut();
                Request.Cookies[FormsAuthentication.FormsCookieName].Value = null;
            }
        }
        catch (Exception ex)
        {
            //TODO:log ex
        }
    }
}

您也可以考虑办理的AuthenticateRequest 由global.aspx声明如下方法事件。

You can also consider to handle the AuthenticateRequest event by declaring the below method in the global.aspx.

注： Application_AuthenticateRequest 事件在 FormsAuthentication_OnAuthenticate 事件之后被解雇。

NOTE: Application_AuthenticateRequest event is fired after the FormsAuthentication_OnAuthenticate event.

void Application_AuthenticateRequest(object sender, EventArgs e)
{
    if (HttpContext.Current.User != null && HttpContext.Current.User.Identity.IsAuthenticated)
    {                
        MembershipUser user = Membership.GetUser();
        if (user == null)
        {
            FormsAuthentication.SignOut();
            HttpContext.Current.User = null;
        }
    }            
}

希望这有助于..

Hope this helps..

这篇关于我如何在请求早期失效不好的身份验证cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！