请问有什么好的理由身份验证Cookie和会话状态的cookie是两个独立的饼干？ [英] Is there any good reason why the authentication cookie and the session state cookie are two separate cookies?

问题描述

有没有什么好的理由ASP.NET的会话状态的cookie和窗体身份验证cookie是两个独立的饼干？如果我想给他们绑到对方？是否有可能在一个优雅的方式？

Is there any good reason why ASP.NET's session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to "tie" them to each other? Is it possible in an elegant way?

现在，我坚持以下解决方案，它的工作原理，但仍是丑陋的：

Right now, I am stuck with the following solution, which works, but is still ugly:

[Authorize]
public ActionResult SomeAction(SomeModel model)
{
    // The following four lines must be included in *every* controller action
    // that requires the user to be authenticated, defeating the purpose of
    // having the Authorize attribute.
    if (SomeStaticClass.WasSessionStateLost/*?*/) {
        FormsAuthentication.SignOut();
        return RedirectToAction("Login", "Account");
    }

    // ...
}

---

@ RPM1984：这是会发生什么：

[HttpPost]
public ActionResult Login(LoginModel loginModel)
{
    if (/* user ok */)
    {
        // ...
        Session["UserID"] = loginModel.UserID;
        Session["Password"] = loginModel.Password;
        // ...
    }
    else
    {
        return View();
    }
}

和它不会花费太多猜测知道 WasSessionStateLost 一样。

And it doesn't take much guessing to know what WasSessionStateLost does.

推荐答案

我将开始与解决方法，然后解释后跟一个建议。

I'll start with a solution, then an explanation followed by a recommendation.

创建自定义授权属性：

由于您的应用程序定义授权如下：

Since your application defines Authorized as follows:

• 已登录


• 必须在值会话[用户名] 和会话[密码]

• Logged in
• Must have values in Session["UserID"] and Session["Password"]

您需要定义自己的AuthorizationAttribute

you need to define your own AuthorizationAttribute

    public class AuthorizedWithSessionAttribute : AuthorizeAttribute
    {    
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if(httpContext.Request.IsAuthenticated && 
                Session["UserID"] != null && Session["Password"] != null)
                return true;

            // sign them out so they can log back in with the Password
            if(httpContext.Request.IsAuthenticated)
                FormsAuthentication.SignOut(); 

            return false;
        }
    }

替换所有的 [授权] 属性与 [AuthorizedWithSession] 键，你不应该需要把会话检查code在控制器。

Replace all your [Authorize] attributes with [AuthorizedWithSession] and you shouldn't need to put session check code in your controllers.

我不知道有足够的了解你的应用程序，但在节省会议（甚至以纯文本格式更坏）的密码是不是做一个安全的事情。

I don't know enough about your application, but saving passwords in session (even worse in plain text) is not a secure thing to do.

此外， RPM1984 表示，会话cookie和身份验证cookie是分开的。

In addition, as RPM1984 said, the session cookie and authentication cookie are separate.

说明：

想与您的姓名的会话信息一桶（服务器端）的。 ASP.NET可以放东西在桶。 ASP.NET为您提供了一个名字，你的会话ID，并把它放在桶里，因此可以知道哪一个是你的了。

Think of the session as a bucket of info (on the server side) with your name on it. ASP.NET can take and put stuff in that bucket. ASP.NET gives you a name, your session id, and puts it on the bucket so it can know which one is yours.

身份验证cookie告诉你验证，并在其中存储您的验证名称ASP.NET。认证名称通常是由应用程序的开发者设定，通常是一个唯一的密钥（认为在DB主键），以从其他用户分开。

The authentication cookie tells ASP.NET that you're authenticated and stores your authentication name in it. The authentication name is usually set by the developer of the application and is usually a unique key (think primary key in a DB) to separate you from the other users.

建议更加安全的：

加密你对他们店前的密码。这并不是绝对安全，但它以纯文本形式存储节拍和口令当然，如果有人获得加密密钥的时候，就可以破解密码。

Encrypt the passwords before your store them. This is not total security, but it beats storing passwords in plain text and of course, if someone were to get a hold of the encryption key, they can crack the passwords.

这篇关于请问有什么好的理由身份验证Cookie和会话状态的cookie是两个独立的饼干？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！