解析数据库授权 - 用户对象的安全性 [英] Parse Database Authorization - Security For User Objects

问题描述

我有一个 ASP.NET MVC 4 Web 应用程序，我在后端使用 Parse 作为数据库 (https://www.parse.com/) 和 C# 作为编程语言.

I have an ASP.NET MVC 4 web application where i use Parse as database in the back-end (https://www.parse.com/) and C# as programming language.

我使用 ParseUser 类登录注册用户 (https://www.parse.com/docs/dotnet_guide#users-login) 像这样:

I use ParseUser class to log in registered users (https://www.parse.com/docs/dotnet_guide#users-login) like this:

ParseUser.LogInAsync("my_username", "my_password");

然后我创建了一个自定义授权属性，并将其应用到我项目的一些控制器和操作方法中.

Then i have created a custom authorization attribute and i apply it in some controllers and action methods of my project.

public class AuthorizeParseUserAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (ParseUser.CurrentUser != null && ParseUser.CurrentUser.IsAuthenticated)
        {
            return true;
        }

        return false;
    }
}

这是针对 CurrentUser 属性的 Parse 文档https://www.parse.com/docs/dotnet_guide#users-current

This is Parse's documentation for CurrentUser property https://www.parse.com/docs/dotnet_guide#users-current

所以，我遇到了以下问题:我使用我的凭据成功登录.登录后，我进入我的应用程序的主页面(AuthorizeParseUserAttribute 已应用于相应的操作方法).然后我将这个主页的 url 发送给另一个人，在另一台计算机上，用户(甚至不是注册用户)可以看到我的应用程序的主页并使用我的凭据登录！！！Parse 的用户对象安全文档如下 https://www.parse.com/docs/dotnet_guide#users-security

So, I have the following problem: I successfully log in using my credentials. After log in, i enter the main page of my application (the AuthorizeParseUserAttribute has been applied to the corresponding action method). Then i send the url of this main page to another person, in another computer and the user (which is not even a registered user) can see the main page of my application and is logged in with my credentials!!! Parse's documentation for security for user objects is the following https://www.parse.com/docs/dotnet_guide#users-security

你能提出任何解决方案来解决这个非常严重的问题吗?谢谢.

Can you please propose any solution to solve this very serious problem? Thank you.

推荐答案

适用于 .NET 的 Parse SDK 假定您正在构建一个在每个用户一台设备上运行的应用程序 - 它并非旨在与 ASP.NET 集成.

The Parse SDK for .NET assumes you are building an app that is running on one device per user - it's not designed to integrate with ASP.NET.

来自文档:

无论何时使用任何注册或登录方法，用户都会缓存在磁盘上.

Whenever you use any signup or login methods, the user is cached on disk.

ParseUser.CurrentUser 是一个静态方法，它从最近一次调用注册或登录方法返回缓存的用户.这就是为什么在您的代码中，在一个用户登录后，其他所有发出请求的人也都以该用户身份登录！

ParseUser.CurrentUser is a static method that returns the cached user from the latest call to a signup or login method. This is why in your code, after one user logs in, everybody else that makes a request is also logged in as that user!

我正在尝试将 Parse 与我目前正在开发的 ASP.NET MVC 站点集成.我解决此限制的计划是在使用 Parse 登录后设置身份验证 cookie，然后注销用户(尽管他们的身份验证 cookie 仍将设置).

I am attempting to integrate Parse with an ASP.NET MVC site I'm currently developing. My plan to work around this limitation is to set the authentication cookie after logging in with Parse, then log out the user (their authentication cookie will still be set though).

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginModel model, string returnUrl)
{
    ParseUser user;

    try
    {
        user = await ParseUser.LogInAsync(model.UserName, model.Password);
    }
    catch (ParseException e)
    {
        ModelState.AddModelError("", "The user name or password provided is incorrect.");
        return View(model);
    }

    FormsAuthentication.SetAuthCookie(user.Username, model.RememberMe);
    ParseUser.LogOut();

    return RedirectToLocal(returnUrl);
}

Register 方法如下所示:

The Register method looks like this:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        // Attempt to register the user
        try
        {
            var user = new ParseUser
            {
                Username = model.UserName,
                Password = model.Password,
            };

            await user.SignUpAsync();

            FormsAuthentication.SetAuthCookie(model.UserName, false);
            ParseUser.LogOut();
            return RedirectToAction("Index", "Home");
        }
        catch (ParseException e)
        {
            ModelState.AddModelError("", e.Message);
        }
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

这篇关于解析数据库授权 - 用户对象的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！