问题
I need to get HttpContext.Session in GrantResourceOwnerCredentials method. However I get null when I try to access Httpcontext.Session.
Below is my code:
public void ConfigureAuth(IAppBuilder app)
{
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(
PublicClientId,
DependencyResolver.Current.GetService<ApplicationUserManager>(),
HttpContext.Current),
//AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(3),
// In production mode set AllowInsecureHttp = false
AllowInsecureHttp = true,
RefreshTokenProvider = new RefreshTokenProvider(
DependencyResolver.Current.GetService<ApplicationDbContext>())
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
}
I use SAML where I set my HttpContext session value, but I need to re-check that Session value again into my GrantResourceOwnerCredentials method, but however the session is always null in here.
回答1:
...I need to re-check that Session value again [in] my GrantResourceOwnerCredentials method.
Checking the session value in the GrantResourceOwnerCredential method is not a good idea. The session is stored in the cookie that comes with the request. Since the request comes in through the token endpoint, the request is not protected against tampering with the cookie. That means that a malicious user could tamper with the cookie and change the session.
来源:https://stackoverflow.com/questions/39661420/access-httpcontext-session-in-grantresourceownercredentials