在手动窗体身份验证的用户身份登录 [英] Log user in manually with Forms Authentication

问题描述

我试图实现基于令牌授权一个Asp.Net MVC2应用程序，我觉得我的做法是错误的。第一关：通过基于令牌的授权，我的意思是，当一个未认证用户进入 http://myapp.com/some/action?tok= [特别的单次使用的令牌这里] 他们已登录。

I'm trying to implement token-based authorization for an Asp.Net MVC2 app, and I think my approach is wrong. First off: by token-based authorization I mean that when an unauthenticated user goes to http://myapp.com/some/action?tok=[special single-use token here] they are logged in.

在我的应用程序中的控制器扩展了一个公共的ApplicationController ，所以我的方法是覆盖 OnAuthorize 上控制器如下：

All of the controllers in my app extend a common ApplicationController, so my approach was to override OnAuthorize on that controller as follows:

class ApplicationController
{
    protected override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.QueryString["tok"] != null)
        {
            var token = HttpUtility.UrlDecode(filterContext.HttpContext.Request.QueryString["tok"]);

            if ((var user = getUserByToken(token)) != null)
            {
                 FormsAuthentication.SetAuthCookie(user.Email, false);
            }
            else{ /* highly-proprietary handling of invalid token */ }
        }
        base.OnAuthorization(filterContext);
    }
}

我的绝对确定的是 SetAuthCookie 正在当它应该和不被称为调用时它不应该。

I am absolutely certain that SetAuthCookie is being called when it should and not being called when it shouldn't.

问题是，并没有真正用户登录，它设置了一个cookie，这意味着我不得不重定向（ User.Identity.IsAuthenticated 遗体打完电话后假 SetAuthCookie ）。但这个整体思路是继续请求正常，避免无谓的重定向。是否有某种方式来实现这一目标？它并没有真正看起来一大堆问...

The problem is, that doesn't really log the user in. It sets a cookie, which means I'd have to redirect (User.Identity.IsAuthenticated remains false after calling SetAuthCookie.) But the whole idea about this is to continue the request as normal and avoid a pointless redirect. Is there some way to accomplish this goal? It doesn't really seem like a whole lot to ask...

推荐答案

在你打电话SetAuthCookie，自认倒霉了User.Identity变化。在接下来的请求时，该数据将成为你期待什么。在这里做的最好的事情是发出一个重定向SetAuthCookie被称为后。

After you call SetAuthCookie, nothing changes with the User.Identity. On the next request, the data will be what you are expecting. The best thing to do here is to issue a redirect after SetAuthCookie has been called.

这篇关于在手动窗体身份验证的用户身份登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！