Develop a custom authentication and authorization system in consistence with web form application

后端未结

关注

 2  2079

感动是毒 2020-12-06 08:20

I am creating a new ASP.NET MVC 4 application (actually my first MVC application) that is a part of my previous ASP.NET web forms application. I have never used ASP.NET inbu

2条回答

渐次进展 (楼主)

2020-12-06 09:09

If you hand-roll your own authentication, the security can only be the as strong as how you store Ticket in client side cookie securely.

Normally, you want to encrypt the auth ticket/token and access via SSL. As long as you store the cookie securely at client side, it should not be an issue.

I also would like to suggest to take a look at how ASP.Net creates Form Authentication Ticket.

Note: If you use ASP.Net Form Authentication Ticket you do not need to store ticket/token in database, because user will send the auth ticket to server on every page request.

var now = DateTime.UtcNow.ToLocalTime();

var ticket = new FormsAuthenticationTicket(
                1, /*version*/
                MemberID,
                now,
                now.Add(FormsAuthentication.Timeout),
                createPersistentCookie,
                TokenID, /*custom data*/
                FormsAuthentication.FormsCookiePath);

var encryptedTicket = FormsAuthentication.Encrypt(ticket);

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
{
   HttpOnly = true,
   Secure = FormsAuthentication.RequireSSL,
   Path = FormsAuthentication.FormsCookiePath
};

if (ticket.IsPersistent)
{
   cookie.Expires = ticket.Expiration;
}
if (FormsAuthentication.CookieDomain != null)
{
   cookie.Domain = FormsAuthentication.CookieDomain;
}

_httpContext.Response.Cookies.Add(cookie);

How to create Principal Object

Once authenticated user is requested a page, you need to retrieve auth ticket from cookie, and create a Principal object.

// In Global.asax.cs
void Application_AuthenticateRequest(object sender, EventArgs e)
{
   HttpCookie decryptedCookie = 
      Context.Request.Cookies[FormsAuthentication.FormsCookieName];

   FormsAuthenticationTicket ticket = 
      FormsAuthentication.Decrypt(decryptedCookie.Value);

   var identity = new GenericIdentity(ticket.Name);
   var principal = new GenericPrincipal(identity, null);

   HttpContext.Current.User = principal;
   Thread.CurrentPrincipal =HttpContext.Current.User;
}

// In action method, how to check whether user is logged in 
if (User.Identity.IsAuthenticated)
{

}

Do I need to extend cookie expiration?

If you leave slidingExpiration as true (which is true by default), it will increase the expiration time automatically. (Read more on article)

0 讨论(0)

查看其它2个回答