堆栈内存溢出
  简体   繁体   English

在MVC中使用授权实施安全身份验证

[英]Implement secure authentication with authorization in MVC

 原文  2019-02-21 08:23:50       c#/ asp.net/ asp.net-mvc/ security

问题描述

I need to implement the secure system, in MVC which will recognize that user logged in is followed proper authentication steps. 我需要在MVC中实施安全系统,该系统将识别出已登录的用户遵循正确的身份验证步骤。

Can i know which authentication scheme will be better of the following. 我能知道以下哪种认证方案更好。

  1. Form authentication will be using cookie, which in turn get the user details based on the cookie. 表单身份验证将使用cookie,后者又将基于cookie获取用户详细信息。 In form authentication we have advantage that with the cookie available in browser, system will auto login from that. 在表单身份验证中,我们具有以下优势:浏览器中有可用的cookie,系统将从中自动登录。

  2. Storing the logged in user information in session and checking that user logged in. But if the session expires we need to logout the system. 将已登录的用户信息存储在会话中并检查该用户是否已登录。但是,如果会话到期,我们需要注销系统。 Suppose the user need to work till entire day, some time user can leave without interaction for 20 mins, system automatically sign-out the user. 假设用户需要工作到一整天,有一段时间用户可以不互动而离开20分钟,系统会自动将用户注销。

  3. Storing the logged user details in sql server session which will be having performance issues. 将记录的用户详细信息存储在sql服务器会话中,这将导致性能问题。

So i need to implement secure and performance oriented scheme which will be maintain user information securely and also have advantages like auto login with cookie. 因此,我需要实施安全且面向性能的方案,该方案将安全地维护用户信息,并具有诸如使用cookie自动登录的优势。

Primary goal is to maintain which user logged in and he should be authenticated through the system which he is accessing and safely logout the system 主要目标是维护登录的用户,并且应该通过他正在访问的系统进行身份验证并安全地注销系统

1 个解决方案

解决方案1
 0  

The 1-option is not safe because you can pick up the cookie data and insert it into another browser to impersonate the user. 1-选项并不安全,因为您可以获取cookie数据并将其插入另一个浏览器以模拟用户。

I use the 2-option for example with my website because it has a secure structure. 例如,我在网站上使用了2选项 ,因为它具有安全的结构。 If the browser is closed and opened again the session is destroyed but you can always use it as long as the same browser is open to access your profile without having to log in. 如果浏览器关闭并再次打开,则该会话将被破坏,但是只要打开同一浏览器即可访问您的个人资料而无需登录,则您可以始终使用它。

The 3-option has too much editing and processing effort so I wouldn't recommend it. 3选项的编辑和处理工作量太大,因此我不建议这样做。

Maintaining the user would simply fall when you maintain the user data in the database via an admin panel which you create. 当您通过创建的管理面板维护数据库中的用户数据时,维护用户就很容易了。 So you have the possibility to install an ACL system later. 因此,您以后可以安装ACL系统。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Second数据库在MVC中实现授权/身份验证 - Using Second database to implement Authorization/Authentication in MVC 表单身份验证和授权MVC 4 - Forms Authentication & authorization MVC 4 MVC中的身份验证和授权 - Authentication and Authorization in MVC MVC应用程序中的授权和身份验证 - Authorization and authentication in MVC application MVC + WebApi。 授权与认证 - MVC + WebApi. Authorization and Authentication 如何在没有身份的asp.net MVC中实现自定义身份验证/授权? - How can I implement custom authentication/authorization in asp.net MVC without Identity? ASP.NET MVC 4中的身份验证和授权 - Authentication and authorization in ASP.NET MVC 4 如何在MVC应用程序中使用JWT进行身份验证和授权? - How to use JWT in MVC application for authentication and authorization? ASP.Net MVC要求授权和身份验证 - ASP.Net MVC claims authorization and authentication IIS Express中使用Active Directory进行MVC身份验证/授权 - MVC Authentication/Authorization with Active Directory in IIS Express
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM