干净的方式从Intranet或Internet确定是否用户 [英] clean way to identify if user from intranet or internet

问题描述

我

如何确定如果用户从Internet或Intranet访问我的应用程序？

我很困惑的IIS服务器变量的来源和安全性。 http://msdn.microsoft.com/en-us/library/ms524602.aspx 例如，为Request.ServerVariables [AUTH_USER]空白远程用户？

此外，在上Environment.UserDomainName文档 HTTP：/ /msdn.microsoft.com/en-us/library/system.environment.userdomainname.aspx 让我觉得这是可以通过命名的计算机名称相同的域名，我检查到游戏这个

在理想情况下，我只是想......

 如果（[...用户并不遥远......]＆功放;＆安培; Enironment.UserDomainName ==TargetLocalDomainName）
    VAR用户名= Environment.UserName;
    prepareLocalUserSession（用户名）;
    RedirectToHomePage（）;
 }
 //其他
 [...重定向到远程登录的网页...]
 

所以我的问题是如何确定用户是否从远程目标来吗？我强烈preFER使用的东西不是IP检查，如果有可能少凌乱。

感谢

---

修改

我以为我上面的方法是如此可怕，我想发布一个理智的方式

  VAR hostAddress = System.Web.HttpContext.Current.Request.UserHostAddress;

布尔LocalUser上= hostAddress.StartsWith（192）| hostAddress.StartsWith（10。）| hostAddress.StartsWith（172）|| HTT prequest.Current.Request.IsLocal;

。字符串的用户名= Request.ServerVariables [LOGON_USER]分割（新的char [] {/}）[0];
。字符串域= Request.ServerVariables [LOGON_USER]分割（新的char [] {/}）[1];

如果（LocalUser上和放大器;＆安培;域==TargetLocalDomainName）{
   prepareLocalUserSession（用户名）;
   RedirectToHomePage（）;
}

//其他
[...重定向到远程登录的网页...]
 

解决方案

首先，你不能使用环保类来获取发出请求的用户信息的服务器。 环保访问本地计算机的环境，让您总能获得服务器的详细信息。在那里没有什么是要告诉你的事情之一，有关客户端。

适用于服务器中的所有客户信息将在要求对象。如果您在网站上使用的身份验证就可以获取用户登录，然后检查用户的安全细节<一个href="http://msdn.microsoft.com/en-us/library/system.web.htt$p$pquest.logonuseridentity%28v=vs.100%29.aspx"相对=nofollow> System.Web.HttpContext.Current.Request.LogonUserIdentity 例如。

这还是不会告诉你哪里的客户端实际上然而。测试用户的登录域只会告诉你，如果用户已经通过身份验证对域，客户端不在于是否是你的本地网络上。如果你的网站是从您的网络外部访问（使用N​​AT的情况下，或混​​合公+服务器上的私有地址），你还是要检查IP地址的请求，以确保它在本地网络。

所以，简单的答案是，你不能没有针对已知的内部网络范围检查IP地址，做到这一点。

how can I determine if a user is accessing my application from the internet or intranet?

I'm very confused about the source and security of the IIS server variables. http://msdn.microsoft.com/en-us/library/ms524602.aspx for example, is Request.ServerVariables["AUTH_USER"] blank for remote users?

also, the documentation on Environment.UserDomainName at http://msdn.microsoft.com/en-us/library/system.environment.userdomainname.aspx makes me think it is possible to game this by naming the computer name equal to a domain name I'm checking for

Ideally, I'd just like to ...

if ( [ ... user is not remote ... ] && Enironment.UserDomainName == "TargetLocalDomainName" )
    var username = Environment.UserName;
    PrepareLocalUserSession(username);
    RedirectToHomePage();
 } 
 //else
 [... redirect to remote login page ...]

so my question is how do I determine if the user is coming from a remote destination? I'd strongly prefer to use something less messy than IP checking if possible.

Thanks

---

EDIT

I thought my approach above was so horrible that I wanted to post a sane approach

var hostAddress = System.Web.HttpContext.Current.Request.UserHostAddress;

bool localUser = hostAddress.StartsWith("192.") | hostAddress.StartsWith("10.") | hostAddress.StartsWith("172.") || HttpRequest.Current.Request.IsLocal;

string username = Request.ServerVariables["LOGON_USER"].split( new char[]{"/"})[0]; 
string domain   = Request.ServerVariables["LOGON_USER"].split( new char[]{"/"})[1];

if( localUser && domain == "TargetLocalDomainName" ){
   PrepareLocalUserSession(username);
   RedirectToHomePage();
} 

//else
[... redirect to remote login page ...]

解决方案

Firstly, you can not use the Environment class to get information about the user making the request to your server. Environment accesses the local computer's environment, so you'll always get the server's details. Nothing in there is going to tell you thing one about the client.

All client information available to the server will be in the Request object. If you use authentication on your website you can get the user to log in, then check the user's security details in System.Web.HttpContext.Current.Request.LogonUserIdentity for example.

This still won't tell you where the client actually is however. Testing the user's login domain will only tell you if the user has authenticated against the domain, not whether the client is on your local network. If your website is accessible from outside your network (using NAT for instance, or mixed public + private address on the server) you'll still have to check the IP address on the request to make sure it's in the local network.

So the short answer is that you can't do this without checking the IP address against known internal network ranges.

这篇关于干净的方式从Intranet或Internet确定是否用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！