ASP.NET表单身份验证-何时使用? [英] ASP.NET Forms Authentication - When to use?
问题描述
我无法决定是否应该进行表单身份验证?表单身份验证通常用于个性化,其中内容是为已知用户定制的.我没有这样的要求.我在数据库中有用户名和密码,需要根据数据库对用户进行身份验证吗?在ASP.NET 2.0中达到相同目的的最佳推荐做法是什么?
I am not able to decide whether I should go for Forms Authentication ? Forms authentication is often used for personalization, where content is customized for a known user. I do not have such requirement. I have usernames and passwords in the DB and need to authenticate the users against the DB ? What is the best recommended practice to achieve the same in ASP.NET 2.0 ?
推荐答案
TL; DR: FormsAuthenication类与密码无关.您需要使用它来保持用户登录到您的网站.为了验证密码,请使用Membership类或您自己的自定义系统.
TL;DR: The FormsAuthenication class has nothing to do with passwords. You need to use it to keep users logged in to your website. In order to validate the passwords, use the Membership class or your own custom system.
来自
表单身份验证使用户和 Web的密码验证 不需要的应用程序 Windows身份验证.与表格 身份验证,用户信息为 存储在外部数据源中 例如会员数据库或 的配置文件 应用.用户一旦 已认证,表单认证 在以下位置维护身份验证票证 Cookie或网址中 经过身份验证的用户不需要 随每个请求提供凭据.
Forms authentication enables user and password validation for Web applications that do not require Windows authentication. With forms authentication, user information is stored in an external data source, such as a Membership database, or in the configuration file for an application. Once a user is authenticated, forms authentication maintains an authentication ticket in a cookie or in the URL so that an authenticated user does not need to supply credentials with each request.
如果您查看FormsAuthentication的类定义,则会看到根据存储在应用程序配置文件中的凭据验证用户名和密码." 您不想使用此,因为您想存储用户数据库中的密码和密码,而不是配置文件中的密码.这是整个FormsAuthentication类中与密码有关的唯一方法.
If you look at the class definition for FormsAuthentication, you'll see an Authenticate method. The documentation says "Validates a user name and password against credentials stored in the configuration file for an application." You don't want to use this because you want to store users and passwords in a database, not the config file. This is the ONLY method related to passwords in the whole FormsAuthentication class.
颁发表单票证的正确方法是使用SetAuthCookie方法,该方法不使用密码.那么您如何/在哪里查看密码?
The correct way to issue a forms ticket is with the SetAuthCookie method, which does not take a password. So how/where do you check the password?
答案:会员资格(或自定义名称).
Answer: Membership (or something custom).
ASP.NET 2.0版成员资格 功能提供安全的凭证 为应用程序用户存储.它也是 提供的成员资格API 简化了验证用户的任务 与表单一起使用时的凭据 验证.会员提供者 抽象用于的基础存储 维护用户凭据.
The ASP.NET version 2.0 membership feature provides secure credential storage for application users. It also provides a membership API that simplifies the task of validating user credentials when used with forms authentication. Membership providers abstract the underlying store used to maintain user credentials.
会员资格是一个大话题,您确实需要花费一些时间对其进行研究并编写测试应用程序.我至少阅读过关于ASP.NET成员资格的系列丛书中的前三篇文章,角色和个人资料.
Membership is a large topic and you really need to spend some time researching it and writing a test application. I'd read at least the first three articles in the Multipart Series on ASP.NET's Membership, Roles, and Profile.
阅读完这些内容之后,您可能会想知道是否应该编写自己的自定义成员资格提供程序.您可能需要查看SO上的一些答案,以获取有关堆栈溢出的指导 a>或在出现新问题时提出一个新问题.
After you're done reading that, you're probably going to wonder if you should write your own custom Membership provider. You might want to take a look at some of the answers here on SO for guidance on that stackoverflow or start a new question when that comes up.
这篇关于ASP.NET表单身份验证-何时使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
