安全传递用户名从ASP.Net为Javascript [英] Securely Passing UserID from ASP.Net to Javascript
问题描述
在应用我目前正在开发我们正在使用ASP.Net Forms身份验证授予网站的用户进一步访问。这个网站是针对向移动用户,因此我们试图像手离开从服务器尽可能和利用KnockoutJS,使Web服务调用和加载数据,以便用户可以查看它。
In the application I am currently developing we are using ASP.Net forms authentication to grant the user further access to the site. This site is targeted towards mobile users and as such we are attempting to be as hands off from the server as possible and make use of KnockoutJS to make the web service call and load the data so that the user can view it.
现在的Web服务(使用GET方法REST服务)要求,以加载特定的给该用户的数据的用户名。我已经在服务器端(ASP.net)这一信息,我可以轻松地访问任何 User.Identity.Name 或直接访问窗体身份验证cookie和提取信息。
Right now the webservice (REST service using GET method) requires the username in order to load the data specific to that user. I have this information on the server side (ASP.net) and I can easily access either User.Identity.Name or access the forms authentication cookie directly and pull the information.
我的问题是,我需要从服务器获取用户名的客户端,以便服务调用可。我已经看着牢固地这样做,但到目前为止还拿出空白。目前,我传递的用户名作为URL参数,并使用JavaScript解析出来,跟在的Page_Load 方法的检查,以验证在URL中的用户名相匹配的登录用户。
My problem is that I need to get the username from the server to the client so that the service call can be made. I have looked into doing this securely but so far have come up blank. Currently I am passing the username as a url parameter and parsing it out using JavaScript, with a check on the Page_Load method to verify the username in the url matches the logged in user.
我需要一种方法,以确保传递从ASP.Net用户名已通过验证的形式向客户端的JavaScript,所以我可以做一个REST Web服务调用用户。
I need a way to secure pass a username from ASP.Net that has authenticated the user using form to the client side JavaScript so I can make a REST webservice call.
编辑:那么谷歌搜索和会议与我的球队领先后我的认为的,我们将使用类似本例中的OAuth实现:
So after googling and meeting with my team lead I think we will be using an OAuth implementation similar to this example:
的http://www.c-sharpcorner.com/UploadFile/surya_bg2000/secure-wcf-restful-service-using-oauth/
也为别的寻找相同的答案,我发现这个问题理解的OAuth非常有帮助的:
Also for anything else looking for the same answer I found this question very helpful in understanding OAuth:
<一个href=\"http://stackoverflow.com/questions/6865690/whats-the-point-of-a-timestamp-in-oauth-if-a-nonce-can-only-be-used-one-time\">What's在OAuth的时间戳的点,如果一个随机数只能使用一次?
假设一切都正确实施起来会比较安全(绝对安全,安全,还是更不安全?),而不是通过ASP代码传递所生成的签名如下所述?
Assuming everything is implemented correctly would it be more secure (totally secure, secure, or more insecure?) to instead pass the generated signature via an ASP tag as mentioned below?
编辑2:一些经过审查和其他的一些搜索,我们终于决定了一个框架,使这项工作的方法。事实证明OAuth是不一定的答案这里,这个问题:
EDIT 2: After some more review and some more searching we finally decided on a framework and method of making this work. As it turns out OAuth isn't necessarily the answer here, this questions:
<一个href=\"http://stackoverflow.com/questions/12632348/but-seriously-example-of-asp-net-webapi-implementation-including-oauth\">But认真.... ASP.NET的WebAPI实施例其中包括OAuth
是一个很大的帮助,以及在搞清楚如何使这项工作。我们要结束了做是生成签名和投入上的JavaScript,使这样的呼叫。签名将是敏感的时间和再生每个用户加载页面所以非常喜欢OAuth的时间,但我们的arent实施全面规范。
was a lot of help as well in figuring out how to make this work. What we are going to end up doing is generating the signature and putting in on the javascript and making the call like that. The signatures are going to be time sensitive and regenerated each time the user loads the page so very OAuth like but we arent implementing the full spec.
TL:DR 的最终解决方案是生成一个散列的签名,并把它通过ASP服务器标签&lt页面上;%aspvar_here%>,并用它来验证服务调用
TL:DR Final solution was to generate a hash signature and put it on the page via ASP server tag <% aspvar_here %> and use it to validate the service call
推荐答案
简单的方法是呈现这个JavaScript在你的页面:
Simplest way would be to render this javascript in your page:
<script type="text/javascript">
window.UserID = '<%=HttpUtility.JavaScriptStringEncode(this.User.Identity.Name)%>';
</script>
现在,你可以参考它在你的JS。
Now you can reference it in your JS.
但是,更重要的是,如果该用户ID不只是用作默认参数,而是对用户进行认证,这是一个安全漏洞。通常情况下,REST服务也应该能看 User.Identity.Name ,而不是接受它作为一个参数。
But, more importantly, if this user id is not used just as a default parameter but instead to authenticate the user, this is a security hole. Normally the REST service should also be able to look at User.Identity.Name instead of receiving it as a argument.
这篇关于安全传递用户名从ASP.Net为Javascript的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
