1. 技术文章
  2. How do I re-authenticate a user in an ASP.NET MVC 3 Intranet application?

How do I re-authenticate a user in an ASP.NET MVC 3 Intranet application?

生来就可爱ヽ(ⅴ<●) 提交于 2019-12-07 02:09:18

问题


The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:

  1. the user is browsing the site doing common, trivial stuff
  2. suddenly, the user has to do a sensitive action such as authorizing a resource allocation or confirming a car loan or something similar
  3. the user is prompted for the credential before (s)he's redirected to the sensitive page, in a manner similar to SharePoint's "Sign In as a Different User"
  4. if, and only if, the credentials entered are the same as for the currently logged-in user the application proceeds to the sensitive area.

This would prevent the following two issues:

  1. The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
  2. The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.

I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)


回答1:


Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.

public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
    using (var context = new PrincipalContext(ContextType.Domain))
    {
         if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
             || !context.ValidateCredentials(username,password))
         {
              return View("PermissionDenied");
         }
    }

    ...
}



回答2:


The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area

That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.

The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.

If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.



来源:https://stackoverflow.com/questions/7585539/how-do-i-re-authenticate-a-user-in-an-asp-net-mvc-3-intranet-application

标签
asp.net-mvc
windows-authentication
pre-authentication
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!