保护饼干的默认MVC应用5 [英] Securing Cookies for Default MVC 5 Application

问题描述

我在VS2013开始了一个新的MVC 5应用程序（使用向导验证=单个用户帐户）。

I've started a new MVC 5 application in VS2013 (with Authentication = Individual User Accounts in the wizard).

我看我的web.config文件，它说：

I'm looking at my web.config file and it says:

    <authentication mode="None" />

不过，我可以明确地创建一个帐户，并登录到我的网站。所以这是一个神秘的一点点。我已阅读，如果我使用窗体身份验证，那我需要记住我的饼干SSL只为我的网站是安全的（刚刚SSL昨天工作）。

However, I can clearly create an account and login to my site. So this is a little bit of a mystery. I have read that if I were using forms authentication, that I would need to mark my cookies SSL-only for my site to be secure (just got SSL working yesterday).

有没有，如果我的身份验证模式设置为无类似的一步呢？

Is there an analogous step if my authentication mode is set to "None"?

什么是无的真正含义是在这种情况下，因为我可以明确地验证到我的网站？

What does "None" really mean in this context, since I can clearly authenticate to my site?

我托管在Azure上，如果它的确与众不同，但我认为事实并非如此。

I'm hosting on Azure, if it makes a difference, but I assume it doesn't.

推荐答案

MVC5不会再使用窗体身份验证。它使用在asp.net身份框架OWIN中间件来处理身份验证的东西。您将可以看到 Startup.Auth.cs 认证相关的配置它位于App_Start文件夹文件。

MVC5 doesn't use forms authentication anymore. It uses OWIN middleware on asp.net identity framework to handle authentication stuff. You will be able to see authentication related configurations on Startup.Auth.cs file which is located on App_Start folder.

<authentication mode="None" />

认证方式为您正在使用MVC5单个用户帐户（而不是任何其他旧/窗体身份验证）设置为无。这意味着旧的web.config配置的认证不再与asp.net身份框架MVC5可用。

Authentication mode set to None as you are using MVC5 Individual User Accounts (not any other old / forms authentication). That means old web.config authentication configurations no longer available on MVC5 with asp.net identity framework.

如果您使用MVC5 Windows身份验证，然后验证模式将是windows

If you used MVC5 Windows Authentication, then authentication mode will be windows

<authentication mode="Windows" />

完全不用担心在Azure托管，我们已经举办和管理的在Azure上mvc5基于Cookie的身份验证的应用程序数量没有任何问题。

Nothing to worry about hosting on azure as we have been hosted and managing number of mvc5 Cookie Based Authentication applications on azure without any issues.

此外，你会发现，有在web.config中如下另一个配置。

Also you will notice that there is another configuration on web.config as follow.

<modules>
  <remove name="FormsAuthentication" />
</modules>

这是去除HTTP模块，因为没有在使用MVC5个人用户帐户身份验证的东西不再需要了。

This is for removing the HTTP module as no longer needed when using MVC5 individual user accounts authentication stuffs.

这篇关于保护饼干的默认MVC应用5的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！