使用ASP.NET MVC + IIS 6.0 +基本身份验证的会话管理 [英] Session management with ASP.NET MVC + IIS 6.0 + Basic Authentication
问题描述
我很快将使用ASP.NET MVC(C#)进行开发项目,但想首先确定如何在新环境中解决我们现有ASP经典应用程序的某些缺点.我们的Intranet Web服务器正在运行IIS6,并且由于某种原因(显然是由于负载平衡器),IT团队已确定Windows Integrated auth无法正常工作,因此我们坚持使用Basic.我很乐意做基于表单的查询AD,但这不是出于安全目的的选择.因此,挑战在于模仿使用基于表单的身份验证可以完成的工作,而实际上却使用基本身份验证.尤其是,能够执行至少近似注销的操作会很漂亮. IT团队的首席Web开发人员表示,他放弃了尝试使其正常工作的想法.似乎那里有很多信息,但是由于配置的变化,似乎有很多冲突.
I'll soon be embarking on a dev project with ASP.NET MVC (C#), but would like to first determine how to fix some of the shortcomings of our existing ASP classic applications in the new environment. Our intranet web servers are running IIS6 and for some reason (apparently due to the load balancer) the IT team has determined that Windows Integrated auth won't work and so we're stuck using basic. I'd love to do forms-based and query the AD, but that's not an option for security purposes. So the challenge is to mimic what can be done using forms-based authentication, but while actually using basic. In particular, being able to do something at least approximating logging out would be beautiful. The IT team's lead web developer said he gave up on trying to get that to work. It seems there's a lot of information on this out there, but much seems to be conflicting due to variations in configuration.
根据我们的配置,是否有最佳实践来实现这一目标?
Is there a best practice to achieve this, given our configuration?
到目前为止,我发现最好的方法是只进行某种手动会话跟踪,然后在会话"超时或标记为注销,然后在关闭并打开浏览器之前再次访问该页面.似乎可行,但是还有一个更优雅的解决方案吗?
So far the best I've found would be to just do some kind of manual session tracking and then prompt for login info again by responding with a 401 if the 'session' has timed out, or if they had been marked as logged out and then visit the page again before closing and opening the browser. It seems like that would work, but is there a more elegant solution?
推荐答案
一点:身份验证和会话是ASP.NET中的两个不同概念,尽管术语使它们很容易混淆.
One small point: Authentication and Session are two different concepts in ASP.NET, although the terminology lends itself to them being easily confused.
身份验证在cookie中加密了身份验证票证,通常有一个时间限制,即您需要重新登录网站的时间.这也可能是一个浮动比例,或者根本不需要您重新进行身份验证,具体取决于身份验证的配置方式.
Authentication has an authentication ticket encrypted in a cookie and this usually has a time limit for how long you are logged into the site before you need to re-authenticate. This may also be a sliding scale, or never require you to re-authenticate, depending on how your authentication is configured.
会话是处于会话状态的特定时间间隔(已认证和未认证)的数据,并通过其自己的cookie进行跟踪.根据会话和身份验证的配置方式,可能会出现以下情况:用户的身份验证间隔已经过去,要求他们登录,但他们仍然拥有会话数据,反之亦然.
Session is the data held in Session state for a particular interval (authenticated and unauthenticated) and is tracked by its own cookie. Depending on how session and authentication are configured together, it is possible to have scenarios where a user's authentication interval elapses, requiring them to log in, and yet they still have session data and vice-versa.
听起来您是在基于要使用 Windows身份验证 n和 Active Directory 来对用户进行身份验证并授权这些用户可以在应用程序中执行的操作.对于Intranet应用程序来说,这可以很好地工作,但我不完全确定对此表示了什么安全方面的担忧.您能详细说明吗?
It sounds like you're talking about an intranet application based on the fact that you'd like to use Windows authentication and Active Directory to authenticate users and authorize what those users can do in the application. That can work very well for an intranet application and I'm not entirely sure what the security concerns have been voiced about this. Could you elaborate?
如果您正在谈论Internet应用程序,并且希望对Intranet用户使用Windows身份验证和Active Directory,并希望对其他任何人进行表单身份验证,那么当然也可以实现.您可能需要看看 Windows Identity Foundation 实现这一目标.
If you're talking about an internet application and would like to use Windows authentication and Active Directory for intranet users and forms authentication for anyone else, then this can certainly be acheived too. You may want to take a look at Windows Identity Foundation to achieve this.
这篇关于使用ASP.NET MVC + IIS 6.0 +基本身份验证的会话管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
