在GrantResourceOwnerCredentials中访问httpcontext.session [英] access httpcontext.session in GrantResourceOwnerCredentials

问题描述

我需要在GrantResourceOwnerCredentials方法中获取HttpContext.Session.但是，当我尝试访问Httpcontext.Session时得到null.

I need to get HttpContext.Session in GrantResourceOwnerCredentials method. However I get null when I try to access Httpcontext.Session.

下面是我的代码:

public void ConfigureAuth(IAppBuilder app)
{
    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),

        Provider = new ApplicationOAuthProvider(
         PublicClientId,
         DependencyResolver.Current.GetService<ApplicationUserManager>(),
         HttpContext.Current),

       //AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),

        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(3),

        // In production mode set AllowInsecureHttp = false
        AllowInsecureHttp = true,

        RefreshTokenProvider = new RefreshTokenProvider(
          DependencyResolver.Current.GetService<ApplicationDbContext>())
    };

    // Enable the application to use bearer tokens to authenticate users
    app.UseOAuthBearerTokens(OAuthOptions);
}

我使用SAML来设置我的HttpContext会话值，但是我需要再次将Session值重新检查到我的GrantResourceOwnerCredentials方法中，但是此处的会话始终为空.

I use SAML where I set my HttpContext session value, but I need to re-check that Session value again into my GrantResourceOwnerCredentials method, but however the session is always null in here.

推荐答案

...我需要再次在我的GrantResourceOwnerCredentials方法中重新检查该会话值.

...I need to re-check that Session value again [in] my GrantResourceOwnerCredentials method.

在GrantResourceOwnerCredential方法中检查会话值不是一个好主意.会话存储在请求随附的cookie中.由于请求是通过令牌端点传入的，因此无法保护该请求免于篡改cookie.这意味着恶意用户可以篡改cookie并更改会话.

Checking the session value in the GrantResourceOwnerCredential method is not a good idea. The session is stored in the cookie that comes with the request. Since the request comes in through the token endpoint, the request is not protected against tampering with the cookie. That means that a malicious user could tamper with the cookie and change the session.

这篇关于在GrantResourceOwnerCredentials中访问httpcontext.session的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！