• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

asp.net认证与授权

原作者: [db:作者] 来自: [db:来源] 收藏 邀请

1.下面的例子在web.config文件中配置网站使用asp.net forms 身份认证方式:

<configuration> 
    <system.web> 
        <authentication mode="Forms"> 
            <forms name="MyAppCookie" 
                   loginUrl="~/Login.aspx" 
                   protection="All" 
                   timeout="30" path="/" /> 
        </authentication> 
        ... 
    </system.web> 
</configuration>

Forms 认证设置:

属性 描述
name
The name of the HTTP cookie to use fo r authentication (defaults to .ASPXAUTH). If multiple applications are running on the same web server, you should give each application’s security cookie a unique name.
loginUrl Your custom login page, where the user is redirected if no valid authentication cookie is found. The default value is Login.aspx.
protection The type of encryption and validation used for the security cookie (can be All, None, Encryption, or Validation). Validation ensures the cookie isn’t changed during transit,and encryption (typically Triple-DES) is used to encode its contents. The default value is All.
timeout The number of idle minutes before the c ookie expires. ASP.NET will refresh the cookie every time it receives a request. The default value is 30.
path The path for cookies issued by the app lication. The default value (/) is recommended, because case mismatches can prevent the c ookie from being sent with a request.

 

2.Authorization Rules(授权规则)

<authorization> 
    <allow users="*" /> 
    <deny users="?" /> 
</authorization>

When evaluating rules, ASP.NET scans through the list from top to bottom and then continues with the settings in any .config file inherited from a parent directory, ending with the settings in the base machine.config file. As soon as it finds an applicable rule, it stops it s search. Thus, in the previous case, it will determine that the rule <allow  users="*"> applies to the current request and will not evaluate the second line. This means these rules will allow all users, including anonymous users.

<authorization> 
    <deny users="?" /> 
    <allow users="*" /> 
</authorization>

Now these rules will deny anonymous users (by matching the first rule) and allow all other users (by matching the second rule).

3.The Login Page(登录页)

ASP.NET provides a special FormsAuthentication class in the System.Web.Security namespace, which provides static methods that help manage the process.

public partial class Login : System.Web.UI.Page 
{ 
    protected void cmdLogin_Click(Object sender, EventArgs e) 
    { 
        if (txtPassword.Text.ToLower() == "secret") 
        { 
            FormsAuthentication.RedirectFromLoginPage( 
              txtName.Text, false); 
        } 
        else 
        { 
            lblStatus.Text = "Try again."; 
        } 
    } 
}

The RedirectFromLoginPage() method requires two parameters. The first sets the name of the user. The second is a Boolean variable that specifies whether you want to create a persistent cookie (one that stays on the user’s hard drive for a longer period of time).

4.Retrieving the User’s Identity

Once the user is logged in, you can retrieve the identity through the built-in User property, as shown here:

protected void Page_Load(Object sender, EventArgs e) 
{ 
    lblMessage.Text = "You have reached the secured page, "; 
    lblMessage.Text += User.Identity.Name + "."; 
}

5.Signing Out

private void cmdSignOut_Click(Object sender, EventArgs e) 
{ 
    FormsAuthentication.SignOut(); 
    Response.Redirect("~/Login.aspx"); 
}

6.Persistent Cookies(持久cookie)

A persistent authentication cookie remains on the user’s hard drive and keeps the user signed in for hours, days, or weeks—even if the user closes and reopens the browser.

Creating a persistent cookie requires a bit more code than creating a standard forms authentication cookie. Instead of using the RedirectFromLoginPage() method, you need to manually create the authentication ticket, set its expiration time, encrypt it , attach it to the request, and then redirect the user to the requested page. All of these tasks are easy, but it’s important to perform them all in the correct order.

The following code examines a check box named chkPersist. If it’s selected, the code creates a persistent cookie that lasts for 20 days:

// Perform the authentication. 
if (txtPassword.Text.ToLower() == "secret") 
{ 
    if (chkPersist.Checked) 
    { 
        // Use a persistent cookie that lasts 20 days. 
        // The timeout must be specified as a number of minutes. 
        int timeout = (int)TimeSpan.FromDays(20).TotalMinutes; 
 
        // Create an authentication ticket. 
        FormsAuthenticationTicket ticket = new 
          FormsAuthenticationTicket(txtName.Text, true, cookietimeout); 
 
        // Encrypt the ticket (so people can't steal it as it travels over 
        // the Internet). 
        string encryptedTicket = FormsAuthentication.Encrypt(ticket); 
 
        // Create the cookie for the ticket, and put the ticket inside. 
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
          encryptedTicket); 
        // Give the cookie and the authentication ticket the same expiration. 
        cookie.Expires = ticket.Expiration;  
 
        // Attach the cookie to the current response. It will now travel back to 
        // the client, and then back to the web server with every new request. 
        HttpContext.Current.Response.Cookies.Set(cookie); 
 
        // Send the user to the originally requested page. 
        string requestedPage = FormsAuthentication.GetRedirectUrl(txtName.text, 
          false); 
        Response.Redirect(requestedPage, true); 
    }
    else 
    { 
        // Use the standard authentication method. 
        FormsAuthentication.RedirectFromLoginPage( 
          txtName.Text, false); 
    } 
}

It’s worth noting that the FormsAuthentication.SignOut() method will always remove the forms authentication cookie, regardless of whether it is a normal cookie or a persistent cookie.


鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
上一篇:
去掉ASP.NETDevelopmentServer中的虚拟路径发布时间:2022-07-10
下一篇:
asp.net实现匿名访问控制_asp.net技巧发布时间:2022-07-10
热门推荐
热门话题
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap