解析数据库授权 - 安全的用户对象 [英] Parse Database Authorization - Security For User Objects
问题描述
我在那里我在后端使用解析数据库的ASP.NET MVC 4 Web应用程序(的https:/ /www.parse.com/ )和C#作为编程语言。
I have an ASP.NET MVC 4 web application where i use Parse as database in the back-end (https://www.parse.com/) and C# as programming language.
我用ParseUser类登录注册用户( HTTPS://www.parse。 COM /文档/ dotnet_guide#用户登录)是这样的:
I use ParseUser class to log in registered users (https://www.parse.com/docs/dotnet_guide#users-login) like this:
ParseUser.LogInAsync("my_username", "my_password");
然后我创建了一个自定义的授权属性,我运用它在我的项目的一些控制器和行动方法。
Then i have created a custom authorization attribute and i apply it in some controllers and action methods of my project.
public class AuthorizeParseUserAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (ParseUser.CurrentUser != null && ParseUser.CurrentUser.IsAuthenticated)
{
return true;
}
return false;
}
}
这是解析的文档的currentUser财产 https://www.parse.com/docs / dotnet_guide#用户电流
This is Parse's documentation for CurrentUser property https://www.parse.com/docs/dotnet_guide#users-current
所以,我有以下问题:我成功地登录使用我的凭据。登录后,输入我的应用程序的主网页(AuthorizeParseUserAttribute已经应用到相应的操作方法)。然后,我这个主页的网址发送给其他人,在另一台计算机和用户(它甚至不是一个注册的用户)可以看到我的应用程序的主网页,并与我的凭据登录!解析的安全性的用户对象文档以下 https://www.parse.com/docs / dotnet_guide#用户安全
So, I have the following problem: I successfully log in using my credentials. After log in, i enter the main page of my application (the AuthorizeParseUserAttribute has been applied to the corresponding action method). Then i send the url of this main page to another person, in another computer and the user (which is not even a registered user) can see the main page of my application and is logged in with my credentials!!! Parse's documentation for security for user objects is the following https://www.parse.com/docs/dotnet_guide#users-security
能否请您提出任何解决方案来解决这一非常严重的问题?谢谢你。
Can you please propose any solution to solve this very serious problem? Thank you.
推荐答案
解析SDK为.NET假设你正在建设是每个用户一台设备上运行的应用程序 - 它的设计没有与ASP.NET集成
The Parse SDK for .NET assumes you are building an app that is running on one device per user - it's not designed to integrate with ASP.NET.
每当你使用任何注册或登录方法,用户将被缓存到磁盘上。
Whenever you use any signup or login methods, the user is cached on disk.
ParseUser.CurrentUser是返回从一个注册或登录方法最近通话缓存用户的静态方法。这就是为什么在你的code,一个用户登录后,其他人,使一个请求也记录在该用户!
ParseUser.CurrentUser is a static method that returns the cached user from the latest call to a signup or login method. This is why in your code, after one user logs in, everybody else that makes a request is also logged in as that user!
我试图解析与ASP.NET MVC的网站我目前正在开发集成。我的计划来解决这个限制是解析登录后设置身份验证cookie,然后注销用户(他们的身份验证cookie仍将虽然设置)。
I am attempting to integrate Parse with an ASP.NET MVC site I'm currently developing. My plan to work around this limitation is to set the authentication cookie after logging in with Parse, then log out the user (their authentication cookie will still be set though).
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginModel model, string returnUrl)
{
ParseUser user;
try
{
user = await ParseUser.LogInAsync(model.UserName, model.Password);
}
catch (ParseException e)
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
FormsAuthentication.SetAuthCookie(user.Username, model.RememberMe);
ParseUser.LogOut();
return RedirectToLocal(returnUrl);
}
注册方法如下:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterModel model)
{
if (ModelState.IsValid)
{
// Attempt to register the user
try
{
var user = new ParseUser
{
Username = model.UserName,
Password = model.Password,
};
await user.SignUpAsync();
FormsAuthentication.SetAuthCookie(model.UserName, false);
ParseUser.LogOut();
return RedirectToAction("Index", "Home");
}
catch (ParseException e)
{
ModelState.AddModelError("", e.Message);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
这篇关于解析数据库授权 - 安全的用户对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
