自定义验证的FormsAuthenticationTicket [英] Custom FormsAuthenticationTicket validation
问题描述
我有一个网站,承载许多asp.net应用程序。一些写在MVC2,有些是写在MVC3,有些没有写在房子和二进制部署(尽管我们可以找到源头code)和许多许多都写在ASP.Net 2.0 web表单。在所有这些网站,我们使用一个登录页面的登录应用程序。我们能做到这一点,因为所有的应用程序共享:
I've got a website that hosts many asp.net applications. Some of written in MVC2, some are written in MVC3, some are not written in house and binary deployed (although we can find source code) and many many more are written in ASP.Net 2.0 webforms. Across all of these sites we use a single login page from a login application. We can do this because all applications share:
- 同样的应用程序池
- 同样的机器密钥
- 同样的登录cookie名称
我的问题是,它们还共享安全问题,没有Cookie欺骗保护。
我的计划是在接受cookie之前添加一些额外的信息(第2个字节的IP,用户代理)的登录cookie(可能在useradata场),然后验证这在每次请求。
My problem is they also share the security problem, no cookie spoofing protection. My plan is to add some extra information (first 2 bytes of ip, user agent) to the login cookie (possibly in the useradata field) and then verify this on every request before accepting the cookie.
我的问题是哪里asp.net检查窗体身份验证票和加载用户,我可以覆盖此使用登录前检查一些额外的东西。
My question is where does asp.net check the forms authentication ticket and load the user and can I override this to check a few extra things before using the login.
这将是一个加号,如果我没有这个code添加到每个global.cs,并可以把它在某些DLL和参考,在配置文件中的DLL。
It would be a plus if I didn't have to add this code to every global.cs and could put it in some dll and reference that dll in the config file.
推荐答案
您不能覆盖认证,除了通过写一个新的 FormsAuthenticationModule ,但还有一个更简单的方法。
而ASP.NET管道处理请求,在每一步,引发事件,这是你能够领略到ASP.NET管道,做你的工作。
You can not override Authentication except by writing a new FormsAuthenticationModule, but there is a simpler way. while the ASP.NET pipeline processing requests, At each step, an event is raised, this is where you can tap into the ASP.NET pipeline and do your job.
在你的情况,你可以验证你的cookie中的 PostAuthenticateRequestHandler 事件处理程序。
In your case, you can validate your cookie in PostAuthenticateRequestHandler event handler.
HttpCookie authCookie = Context.Request.Cookies["YourFormsCookieName"];
if (IsValidAuthCookie(authCookie))
{
// do some stuff
}
else
{
// expire cookie using FormsAuthentication.Signout()
// do some stuff
}
这是一个有用的链接:<一个href=\"http://www.asp.net/web-forms/tutorials/security/introduction/forms-authentication-configuration-and-advanced-topics-cs\"相对=nofollow>表单验证
this is a useful link: Forms Authentication
这篇关于自定义验证的FormsAuthenticationTicket的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
