使用 FormsAuthentication 时我们编写这样的代码:
if (IsValidUser())
{
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie);
}
如何手动创建身份验证cookie而不是编写 FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)?
如何将登录页面的重定向URL存储到字符串变量中而不是编写FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie)?
这就是你需要的。当你使用内置在FormsAuthentication中的更高级别的方法时,ASP.NET会为此负责,但是在低级别上,需要创建一个身份验证 cookie。
if (Membership.ValidateUser(username, password))
{
// sometimes used to persist user roles
string userData = string.Join("|",GetCustomUserRoles());
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // ticket version
username, // authenticated username
DateTime.Now, // issueDate
DateTime.Now.AddMinutes(30), // expiryDate
isPersistent, // true to persist across browser sessions
userData, // can be used to store additional user data
FormsAuthentication.FormsCookiePath); // the path for the cookie
// Encrypt the ticket using the machine key
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
// Add the cookie to the request to save it
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
// Your redirect logic
Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent));
}
我不确定为什么您想要在此处执行自定义操作。如果您想要更改用户数据存储的实现方式以及用户身份验证方法,则最佳做法是创建自定义的MembershipProvider。自己编写解决方案并踩入身份验证 cookie 可能会导致软件中引入安全漏洞的高概率。
我不理解您的第二部分。如果您想返回用户到登录之前正在访问的页面,则只需要调用FormsAuthentication.GetRedirectUrl。否则,您可以根据需要执行任何操作,在配置中重定向到 URL。
通常,要读取 FormsAuthentication cookie,您需要在 HttpModule 或 Global.asax 中挂钩 AuthenticateRequest 事件,并设置用户 IPrinciple 上下文。
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if(authCookie != null)
{
//Extract the forms authentication cookie
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
// If caching roles in userData field then extract
string[] roles = authTicket.UserData.Split(new char[]{'|'});
// Create the IIdentity instance
IIdentity id = new FormsIdentity( authTicket );
// Create the IPrinciple instance
IPrincipal principal = new GenericPrincipal(id, roles);
// Set the context user
Context.User = principal;
}
}
有关此帖子投票负数数量的答案更新, 创建包含用户信息的 cookie 的正确方法如下:
在登录页面加载时对 cookie 进行验证,
if (HttpContext.Current.User.Identity.IsAuthenticated)
在经过身份验证的用户登录期间创建Cookie,
FormsAuthentication.SetAuthCookie(txtUserName.Text.Trim(), true);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
txtUserName.Text.Trim(),
DateTime.Now,
(chkRemember.Checked) ? DateTime.Now.AddHours(6) : DateTime.Now.AddHours(2),// Specify timelimit as required
true,
string.Empty,
FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.Expires = (chkRemember.Checked) ? DateTime.Now.AddHours(6) : DateTime.Now.AddHours(2);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);
HttpCookie toolCookie = new HttpCookie("xyz");
toolCookie["UserName"] = userName;
toolCookie["Password"] = StringCipher.Encrypt(password, "#!");
toolCookie.Expires = DateTime.Now.AddMinutes(chkRemember.Checked ? 30 : -30);
Request.Cookies.Add(toolCookie);
获取现有 cookie 详细信息
HttpCookie user = Request.Cookies["xyz"];
if(user != null)
{
string username = user["UserName"];
string password = user["Password"] != null ? StringCipher.Decrypt(user["Password"], "#!")
}
这里Datasecurity是一个静态类。
加密和解密函数加密和解密
DateTime.Now.AddMinutes(30)改为DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes)- LawManDateTime.Now.Add(FormsAuthentication.Timeout)。但这也不是什么大问题。而且将其转换为分钟再转回去也没有什么损害,只是多了几个CPU使用周期。 - Shawn Kovac