在GrantResourceOwnerCredentials中访问httpcontext.session [英] access httpcontext.session in GrantResourceOwnerCredentials
问题描述
我需要在GrantResourceOwnerCredentials
方法中获取HttpContext.Session
.但是,当我尝试访问Httpcontext.Session
时得到null
.
I need to get HttpContext.Session
in GrantResourceOwnerCredentials
method. However I get null
when I try to access Httpcontext.Session
.
下面是我的代码:
public void ConfigureAuth(IAppBuilder app)
{
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(
PublicClientId,
DependencyResolver.Current.GetService<ApplicationUserManager>(),
HttpContext.Current),
//AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(3),
// In production mode set AllowInsecureHttp = false
AllowInsecureHttp = true,
RefreshTokenProvider = new RefreshTokenProvider(
DependencyResolver.Current.GetService<ApplicationDbContext>())
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
我使用SAML来设置我的HttpContext
会话值,但是我需要再次将Session
值重新检查到我的GrantResourceOwnerCredentials
方法中,但是此处的会话始终为空.
I use SAML where I set my HttpContext
session value, but I need to re-check that Session
value again into my GrantResourceOwnerCredentials
method, but however the session is always null in here.
推荐答案
...我需要再次在我的GrantResourceOwnerCredentials方法中重新检查该会话值.
...I need to re-check that Session value again [in] my GrantResourceOwnerCredentials method.
在GrantResourceOwnerCredential
方法中检查会话值不是一个好主意.会话存储在请求随附的cookie中.由于请求是通过令牌端点传入的,因此无法保护该请求免于篡改cookie.这意味着恶意用户可以篡改cookie并更改会话.
Checking the session value in the GrantResourceOwnerCredential
method is not a good idea. The session is stored in the cookie that comes with the request. Since the request comes in through the token endpoint, the request is not protected against tampering with the cookie. That means that a malicious user could tamper with the cookie and change the session.
这篇关于在GrantResourceOwnerCredentials中访问httpcontext.session的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!