对于移动客户端asp.net网页API定制认证要求 [英] asp.net Web Api custom authentication requirement for mobile client

问题描述

请我对下列要求的解决方案提供您的反馈意见。

Please provide your feedback on my solution against following requirements.

需求（类似）：

1.A让说，认证令牌是做出来的电子邮件和日期，并加密

1.a let say that authentication Token is made out of the Email and date and is encrypted

1.B认证令牌是通过头发送回客户端

1.b authentication Token is send back to the client through header

1.C认证令牌存储在客户端和服务器

1.c authentication Token is stored on client and server

我的解决方案：

1）通过标头中发送身份验证令牌返回给客户端。我已经使用的cookie，并按照code。

1) To send authentication Token back to the client through header. i have used cookie, and following code.

  HttpCookie cookie = new HttpCookie("AuthenticationToken");
      cookie.Value = "EncryptedToken";
      Response.Cookies.Add(cookie);

2）我将存储的认证令牌在数据库中，并为每个请求I比较令牌保存在与存储在数据库中标记饼干。 （假设加密，解密操作得当）

2) I will store authentication Token in database, and for each request i compare token saved in cookie with token stored in database. (assume that encrypt,decrypt operations are done properly )

您的反馈/ commments？

推荐答案

我在没有安全专业知识。对我来说，你的想法听起来是可行的。

I have no expert knowledge in security. To me your idea sounds doable.

不过，我很好奇，为什么你想要做的定制验证这样吗？
你已经采取了看的打造为在Web.API做ASP.NET验证？

However, I was curious why you wanted to do "custom" authentication like this? Have you taken a look at "build it" ASP.NET authentication done in Web.API?

然后，你可以创建使用标准的.NET的东西，如一个自定义HttpOperationHandler ：

var ticket = FormsAuthentication.Decrypt(val);
var ident = new FormsIdentity(ticket);
...
var principle = new GenericPrincipal(identity, new string[0]);
Thread.CurrentPrincipal = principle;
...
if (!principal.Identity.IsAuthenticated)
    return false;

此外，您可能想阅读有关<一个href=\"http://www.hanselman.com/blog/SystemThreadingThreadCurrentPrincipalVsSystemWebHttpContextCurrentUserOrWhyFormsAuthenticationCanBeSubtle.aspx\"相对=nofollow>和Thread.CurrentPrincipal中 Current.User

Also, you might want to read about Thread.CurrentPrincipal and Current.User

亲的是，你并不需要在一些数据库存储在服务器上的认证令牌并检索它在每次请求。

The pro is that you don't need to store authentication token in some DB on the server and retrieve it on every request.

这篇关于对于移动客户端asp.net网页API定制认证要求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！