FormsAuthentication反对过时[使用MVC5] [英] FormsAuthentication object obsolete [using MVC5]

问题描述

我用下面的code在MVC5网站：

I'm using the following code in an MVC5 site:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel loginModel) {
    if (ModelState.IsValid) {
        var authenticated = FormsAuthentication.Authenticate(loginModel.UserName, loginModel.Password);
        if (authenticated) {
            FormsAuthentication.SetAuthCookie(loginModel.UserName, true);
            return RedirectToAction("AdminPanel");
        }
        ModelState.AddModelError("", "The username and password combination were incorrect");
    }
    return View(loginModel);
}

这抛出了以下警告：

Which throws up the following warning:

System.Web.Security.FormsAuthentication.Authenticate（字符串，字符串）'
  已经过时了：推荐的替代方案是使用会员
  API，比如Membership.ValidateUser。欲了解更多信息，请参阅
  <一href=\"http://go.microsoft.com/fwlink/?LinkId=252463\">http://go.microsoft.com/fwlink/?LinkId=252463.'

System.Web.Security.FormsAuthentication.Authenticate(string, string)' is obsolete: 'The recommended alternative is to use the Membership APIs, such as Membership.ValidateUser. For more information, see http://go.microsoft.com/fwlink/?LinkId=252463.'

首先免责声明 - 我是一个喜欢不断更新的东西的开发商之一，我preFER避免在警告完全VS。然而，在这种特定情况下，我使用极其原始身份验证，这从web.config直接来了，如下：

First a disclaimer - I'm one of those developers that likes to keep up to date with things, and I prefer to avoid warnings in VS entirely. However, in this particular instance, I am using extremely primitive authentication, which comes directly from the web.config, as follows:

<authentication mode="Forms">
    <forms loginUrl="~/account/login" timeout="2880" slidingExpiration="true" name=".ASPXFORMSAUTH">
        <credentials passwordFormat="SHA1">
            <user name="MyUserName" password="a-big-long-password-hash"/>
        </credentials>
    </forms>
</authentication>

有绝对在这个项目中没有进一步的登录需求 - 使用一个数据库是大材小用，而且也没有必要分散登录;基本上，存储在web.config中的细节是最为理想的解决方案，并有可能只是每个应用程序的用户。我无疑将抽象与控制器的认证code OUT（使用DI / IOC），但我仍然打算使用FormsAuthentication对象反对在web.config中的详细信息进行身份验证。

There is absolutely no further login requirements in this project - using a database is overkill, and there's no need for distributed login; basically, storing the details in web.config is the most ideal solution, and there will probably only be one user per application. I will no doubt abstract the authentication code out from the controller (using DI / IoC), but I am still intending to use the FormsAuthentication object to authenticate against the details in web.config.

虽然我充分意识到会员供应商，DotNetOpenAuth和新的（但pretty可怕IMO）OWIN基础的认证模式，上述code是绰绰有余。

While I am fully aware of membership providers, DotNetOpenAuth and the new (but pretty horrible imo) OWIN based authentication model, the above code is more than adequate.

第一个问题 - 为什么已经过时FormsAuthentication时，这是一个完全有效的用例？据我所知，FormsAuthentication是一个密封的黑匣子，难以测试，和其背后的code是特定域，但在这个特殊的例子（其中，我想直接从web.config的部分读细节），它似乎疯狂写一个成员提供程序或自定义身份验证服务？

First question - Why has FormsAuthentication been made obsolete when this is a perfectly valid use case? I understand that FormsAuthentication is a sealed black box, is hard to test, and the code behind it is domain specific, but in this particular instance (where I want to read details directly from the section of the web.config), it seems madness to write a membership provider or a custom authentication service?

第二个问题 - 除非我失去了一些东西，新的OWIN模型是分布式认证，并且不适合基于一定的作用，企业级安全系统。从众多博客文章，白皮书和SO帖子我看过，也好像它仍然是不完整的。我的权利在我的假设？是OWIN所有安全系统的未来，或者我应该继续写定制的安全系统更适合于我的客户的需求呢？

Second Question - Unless I'm missing something, the new OWIN model is for distributed authentication, and is not suitable for a role based, enterprise level security system. From the many blog posts, white papers and SO posts I've read, it also seems like it's still incomplete. Am I right in my assumptions? Is OWIN the future of all security systems, or should I continue to write bespoke security systems more appropriate for my clients needs?

推荐答案

要你的第一点，我们废弃了，因为它是由现代安全标准严重不足。它采用无迭代，这意味着任何人谁访问你的web.config可以很容易地找出原始密码是一个直哈希值。但是，如果你愿意接受这些风险，你当然可以继续使用它前进。只是燮preSS与你原来的code中的警告和士兵。

To your first point, we obsoleted it because it is woefully inadequate by modern security standards. It uses a straight hash with no iteration, which means that anybody who accesses your Web.config can easily figure out what the original passwords were. But if you're willing to accept these risks, you can certainly continue using it going forward. Just suppress the warning and solider on with your original code.

要你的第二个问题，有没有这和OWIN。

To your second point, there is no relation whatsoever between any of this and OWIN.

希望这会清除它！

这篇关于FormsAuthentication反对过时[使用MVC5]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！