登录为...最佳做法？ [英] Login as... best practices?

问题描述

我正在开发一个网站，一个管理员用户将能够登录在系统的其他用户类型。我那里有需要跟踪当前显示用户和登录用户的电流。最明显的地方似乎是会话但你必须保持会话超时同步与认证超时挑战。

I'm developing a site where an admin user will be able to login as other user types in the system. I there for have a need to track a current "display" user and the current "logged in" user. The most obvious place seems to be session but then you have challenges keeping the session timeout in sync with the authentication timeout.

在这里见我的问题：
MVC会话过期而不是身份验证

什么是处理这类方案的最佳实践？

What are the best practices for handling this kind of a scenario?

推荐答案

除了为超时通常的web.config设置/安全：

Besides the usual web.config settings for timeouts/security:

<location path="Portal/Dashboard">
<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
</location>

<authentication mode="Forms">
  <forms loginUrl="~/Portal/Logout" timeout="10" />
</authentication>

下面就是我在我的控制器处理这个问题：

Here's how I handle this in my controllers:

        loggedInPlayer = (Player)Session["currentPlayer"];
        if (loggedInPlayer == null)
        {
            loggedInPlayer = Common.readCookieData(User.Identity);
        }
        if (loggedInPlayer.UserID > 0)
        {
          //Dude's signed in, do work here
        }
     else
        {
            return PartialView("Logout");
        }

然后我退出（）控制器方法我说：

And then for my LogOut() controller method I say:

public ActionResult Logout()
    {
        Session["currentPlayer"] = null;
        FormsAuthentication.SignOut();
        return RedirectToAction("Index", "Home", new { l = "1"}); //Your login page
    }

有关处理饼干我有：

public static Player readCookieData(System.Security.Principal.IIdentity x)
    {
        Player loggedInPlayer = new Player();
        if (x.IsAuthenticated)
        {
            loggedInPlayer.UserID = 0;
            if (x is FormsIdentity)
            {
                FormsIdentity identity = (FormsIdentity)x;
                FormsAuthenticationTicket ticket = identity.Ticket;
                string[] ticketData = ticket.UserData.Split('|');
                loggedInPlayer.UserID = Convert.ToInt32(ticketData[0]);
                loggedInPlayer.UserFName = ticketData[1];
                loggedInPlayer.UserLName = ticketData[2];
            }
        }
        else
        {
            loggedInPlayer.UserID = 0;
            loggedInPlayer.UserFName = "?";
            loggedInPlayer.UserLName = "?";
        }
        return loggedInPlayer;
    }

这篇关于登录为...最佳做法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！