使用Global.asax进行授权检查 [英] Authorization check using Global.asax

问题描述

在我的ASP.NET Web应用程序中，我想每次用户尝试从应用程序获取页面时，是否都存在该数据库中(当然，这是我们第一次在会话中保存用户详细信息之后)).我试图在global.asax中使用Application_AuthenticateRequest事件来检查每个请求，但此事件中不存在会话.我需要一个建议，可以在哪里放置授权逻辑，使我仍然可以使用会话数据(以减少数据库访问).

In my ASP.NET web application, I want to check every time the user is trying to get a page from my application if the user exist in the DB (of course after the first time we save the user details in the session). I tried to use the Application_AuthenticateRequest event in the global.asax to check for each request but the session does not exist in this event. I need an advice for where i can put my authorization logic that i would still have the session data available (to reduce db access).

推荐答案

您听起来好像在滚动自己的"身份验证系统.

You sound as though you are "rolling your own" authentication system.

我会考虑使用ASP.NET内置的表单身份验证与ASP.NET 成员资格提供程序共同使用的系统.内置提供程序已经存在于SQL Server中，您可以通过继承

I would look into using ASP.NET's built in Forms authentication system that is commonly used with an ASP.NET Membership Provider. Built-in providers already exist for SQL Server, and you can create your own Membership Provider by inheriting from the System.Web.Security.MembershipProvider base class.

本质上，一旦客户端成功进行身份验证，ASP.NET成员资格提供程序通常通过在客户端浏览器中设置客户端Cookie(也称为身份验证票证)来工作.此Cookie随每个后续页面请求一起返回到Web服务器，从而允许ASP.NET(从而使您的代码)确定用户是谁，通常使用单行代码，如下所示:

Essentially, the ASP.NET membership providers usually work by setting a client side cookie (also known as an Authentication Ticket) in the client's browser, once the client has successfully authenticated themselves. This cookie is returned to the web server with each subsequent page request, allowing ASP.NET, and thus your code, to determine who the user is, usually with a single line of code like so:

string username = HttpContext.Current.User.Identity.Name;
// The above gets the current user's name.

if(HttpContext.Current.User.Identity.IsAuthenticated)
// Do something when we know the user is authenticated.

然后，您无需在会话状态下存储任何内容.当然，如果您想要将特定于用户的数据存储在会话变量中(即，可能不是用户身份验证的一部分的用户数据，也许是用户喜欢的颜色等)，则可以all意味着您可以将其存储在会话变量中(在首次验证用户身份后从DB检索它).会话变量可以基于用户名(假定为唯一名称)进行存储，并使用与上述类似的代码进行检索，该代码获取当前用户的名称以访问正确的会话对象.

You then should not need to store anything in the Session state. Of course, if you want to store user-specific data in a session variable (i.e. user-data that may not be part of the authentication of a user, perhaps the user's favourite colour etc.) then by all means you can store that in a session variable (after retrieving it from the DB when the user is first authenticated). The session variable could be stored based on the user's name (assuming unique names) and retrieved using code similar to the above which gets the current user's name to access the correct session object.

使用内置的表单身份验证，还可以通过web.config中包含的简单声明性代码来保护"网站区域免受未经授权的用户的侵害，例如:

Using the built-in forms authentication will also allow you to "protect" areas of your website from un-authorized users with simple declarative code that goes in your web.config, for example:

<authorization>
  <deny users="?"/>
</authorization>

将上述内容添加到主" web.config中将确保未经授权的用户无法访问任何页面(尽管您实际上可能从未这样做过-这仅是示例).将ASP.NET 角色提供程序与成员资格提供程序一起使用使您可以更详细地了解谁可以访问或不能访问网站的各个部分.

Adding the above to your "main" web.config would ensure that none of your pages are accessible to un-authorized users (though you'd probably never do this in reality - it's just meant as an example). Using the ASP.NET Role Provider in conjunction with the Membership Provider will give you even greater granularity over who can or can't access various sections of your website.

这篇关于使用Global.asax进行授权检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！