简体繁体 English

没有身份和用户帐户的基于令牌的资源访问

[英]Token-based access to resource without Identity & User Accounts

原文 2019-09-22 19:32:25 3 1 c#/ asp.net-core/ cookies/ token

My Problem: My app has number of pages/resources that should be accessible by guest users but only after providing correct pair [Resource Code - Unique Token] (each page has one Page Code and multiple unique "Tokens" issued for each user).我的问题：我的应用程序具有访客用户应该可以访问的页面/资源数量，但只有在提供正确的对 [资源代码 - 唯一令牌] 之后（每个页面都有一个页面代码和为每个用户颁发的多个唯一“令牌”）。 Tokens are generated beforehand and stored in DB.令牌预先生成并存储在数据库中。 After accessing the page, user will be able to interact with multiple other resources belonging to particular page.访问页面后，用户将能够与属于特定页面的多个其他资源进行交互。

How I organized this so far: Page asks user to provide token and checks it with records in DB.到目前为止我是如何组织的：页面要求用户提供令牌并与数据库中的记录进行检查。 If this is a correct token for resource requested, it writes cookie and then, every time user interacts with the resource or its content, controller will every time read cookie and check [PageCode-Token] pair with database before continuing the action.如果这是请求资源的正确令牌，它会写入 cookie，然后，每次用户与资源或其内容交互时，controller 将每次读取 cookie 并在继续操作之前检查 [PageCode-Token] 与数据库的配对。

Question: Is there any other, more elegant and efficient approach?问题：还有其他更优雅、更有效的方法吗？ Should I use Session instead?我应该改用 Session 吗？ I feel a bit bad about querying DB every time.每次查询数据库我都觉得有点糟糕。

1 个解决方案

This depends on how many users access your service, if the volume is too large it would be recommended to create a cache where all tokens are stored, thus avoiding a database overload.这取决于有多少用户访问您的服务，如果容量太大，建议创建一个缓存来存储所有令牌，从而避免数据库过载。 However if the service is not widely used this is not necessary as a database can handle a lot of requests.但是，如果该服务没有被广泛使用，则没有必要这样做，因为数据库可以处理大量请求。

You could create a cache in two ways, using ready-made software or create a small cache within the project itself.您可以通过两种方式创建缓存，使用现成的软件或在项目本身中创建一个小缓存。

If you choose to use software, I would recommend Redis, it is a cache database that stores values with or without a timeout, ie after a while the tokens are deleted.如果你选择使用软件，我会推荐 Redis，它是一个缓存数据库，存储有或没有超时的值，即一段时间后令牌被删除。 Keep in mind that this does not prevent you from making requests to the database, but you will always make requests to the cache first (Redis) and if the value does not exist, it is necessary to search within the database.请记住，这不会阻止您向数据库发出请求，但您总是会首先向缓存（Redis）发出请求，如果该值不存在，则需要在数据库中进行搜索。

But if you choose to create your own, you will need to do most things manually and always knowing how much resources can be allocated.但是，如果您选择创建自己的，您将需要手动完成大部分操作，并且始终知道可以分配多少资源。 It may be more advantageous to use software than reinvent the stone.使用软件可能比重新发明石头更有利。