实现与南希基于会话的认证 [英] Implement session-based authentication with Nancy
问题描述
这是一个后续问题是窗体身份验证作为南希文档容易受到会话劫持描述?
我现在明白南希窗体身份验证是如何工作的,也是其背后的理念,得益于史蒂芬·罗宾斯的回答。
I understand now how Nancy Form Authentication works and also the idea behind it, thanks to Steven Robbins' answer.
不过,对于我的应用程序的方法是不够的。它必须是不可能的,如果他设法窃取一次在auth cookie来获得永恒的访问攻击者。因此,我目前正在调查的可能切换到基于会话的认证方法,所以当用户注销也是固定的时间量之后,我可以无效的会话。
However, for my application that approach is not sufficient. It must not be possible to gain eternal access for an attacker if he manages to steal the auth cookie once. Thus, I'm currently investigating possibilities to switch to a session-based approach to authentication, so I can invalidate sessions when the user logs out and also after a fixed amount of time.
有关南希尼斯的事情,这样的事情可定做!
Nice thing about Nancy, such things can be customized!
我的问题是,是否有意义重用Nancy.FormsAuthentication用于这一目的?一个解决方案我想到的是使用户标识只是暂时有效。这样,当用户注销我会删除用户数据库的GUID标识符,并在创建一个新的,每次用户登录。
My question is, does it make sense to reuse Nancy.FormsAuthentication for that purpose? One solution I have in mind is making the user identifier only temporarily valid. That way I would delete the GUID identifier from the user database when the user logs out, and create a new one everytime a user logs in.
我要问,因为文档的状态:
I'm asking because the docs state:
同样重要的是要知道标识符应被视为
永久的,它是为生成的,并会被重用用户
跨请求和应用程序会话。
It is also important to know that the identifier should be treated as permanent for the user that it was generated for and will be reused across requests and application sessions.
是否有任何不必要的副作用,当我忽略,使识别非永久的吗?
Are there any unwanted side-effects when I ignore that and make the identifier non-permanent?
推荐答案
是,也不是。
如果您每次改变它,那么你得到有效注销用户进行登录。
If you change it each time the user logs in then you are effectively logging the user out.
您可以创建一个会话/身份表,让同一个用户登录多次(假设浏览器是不同的),这将让您管理超时/延长每个认证的超时时间。
You could create a Session / Identity table which allows the same user to login multiple times (assuming that the browser is different) which would allow you to manage the timeout / extending the timeout on each authentication.
这不会要求改变窗体身份验证,你会简单地改变IUserMapper反对你的会话/身份表,而不是直接对用户进行认证。
That would require no changes to the Forms Auth, you would simply change the IUserMapper to authenticate against your Session / Identity table rather than the user directly.
(希望一切是有道理的)
(hope all that makes sense)
这篇关于实现与南希基于会话的认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
