[英]Using cookies to auto-login a user in asp.net (custom login)
i can't find on the net what i'm looking for so any help would be appreciated. 我无法在网上找到我正在寻找的东西,所以任何帮助将不胜感激。 I have implemented a custom login form where the user enters his email and password to log in. I then query the database with those credentials (password is hashed and salted) and if both are found then i store the UserID in the Session state.
我已经实现了一个自定义登录表单,用户输入他的电子邮件和密码进行登录。然后我使用这些凭据查询数据库(密码是哈希和盐渍的),如果两者都找到,那么我将UserID存储在会话状态。 If the user closes the browser then the Session is lost so he would have to log in again.
如果用户关闭浏览器,则会话丢失,因此他必须再次登录。 I learned about using cookies to implement the "Remember me" functionality but i don't know what should i be storing in the cookie for the auto-login process and to make it secure.
我学会了使用cookie来实现“记住我”功能,但我不知道我应该在cookie中存储什么以进行自动登录过程并使其安全。
PS: I know what a cookie is and how it works. PS:我知道cookie是什么以及它是如何工作的。 I also know that storing the user credentials (email + password) in a cookie is NOT advised.
我也知道不建议将用户凭据(电子邮件+密码)存储在cookie中。 I'm using asp.net 4.0 with C#
我正在使用带有C#的asp.net 4.0
Actually i'm looking for the logic behind the auto-login system using cookies. 其实我正在寻找使用cookie的自动登录系统背后的逻辑。
Thanks! 谢谢!
You should just use FormsAuthentication to set the cookie: 您应该只使用FormsAuthentication来设置cookie:
FormsAuthentication.SetAuthCookie(theUserID, true);
And then get it back: 然后把它拿回来:
string userId = HttpContext.Current.User.Identity.Name;
If you are worried about security, you can consider only using secure cookies (you will only be able to read that cookie over https). 如果您担心安全性,可以考虑仅使用安全cookie(您只能通过https读取该cookie)。
There's more info on this in a related post: Manual Access control in ASP .Net 在相关文章中有更多相关信息: ASP .Net中的手动访问控制
Update: According to your comment, you don't think you can set a Forms Authentication cookie in your custom login form. 更新:根据您的评论,您认为您不能在自定义登录表单中设置表单身份验证cookie。 So I created a blank ASP.NET 4 project, where I created a custom login -- it will log in any unauthenticated user.
所以我创建了一个空白的ASP.NET 4项目,在那里我创建了一个自定义登录 - 它将登录任何未经身份验证的用户。 Here are the three pieces:
以下是三件:
The web.config
(your project should have something similar since you have a form on your site where people login): web.config
(你的项目应该有类似的东西,因为你的网站上有一个人们登录的表单):
<authentication mode="Forms"></authentication>
The code front: 代码前端:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="default.aspx.cs" Inherits="emptyWebApp._default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Example</title>
</head>
<body>
<form id="form1" runat="server">
<div>
Username: <asp:Label ID="_username" runat="server"></asp:Label>
</div>
</form>
</body>
</html>
The code behind: 背后的代码:
using System;
using System.Web;
using System.Web.Security;
namespace emptyWebApp
{
public partial class _default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
_username.Text = HttpContext.Current.User.Identity.Name;
}
else
{
_username.Text = "Not logged in";
FormsAuthentication.SetAuthCookie("CookieMan", true);
}
}
}
}
As you can see, you can set an Authentication cookie using FormsAuthentication.SetAuthCookie
in your own custom authentication function, even one as irrational as this. 如您所见,您可以在自己的自定义身份验证功能中使用
FormsAuthentication.SetAuthCookie
设置身份验证Cookie,即使是一个非理性的身份验证Cookie。
In this case, the first time they hit the page, it will show Username: Not logged in
and then it will log them in as "CookieMan". 在这种情况下,当他们第一次点击页面时,它将显示
Username: Not logged in
,然后它将以“CookieMan”身份登录。 Refreshing the page will show Username: CookieMan
. 刷新页面将显示
Username: CookieMan
。
I have found very good articles about this problem. 我找到了关于这个问题的非常好的文章。 I recommend to read them all!
我建议全部阅读!
Whenever I've done this I just make up some random "SessionId" guid and use that value. 每当我这样做,我只需要编写一些随机的“SessionId”guid并使用该值。
If your code you can keep a list sessionId/UserId pairs and expire them as necessary. 如果您的代码可以保留列表sessionId / UserId对并在必要时使它们到期。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.