简体繁体 English

C＃4 ASP.net * NON MVC *自定义身份验证

[英]C# 4 ASP.net *NON MVC* Custom Authentication

原文 2012-06-19 07:57:46 4 4 c#/ asp.net/ authentication

I know this question as been asked countless times, but believe me I've searched Google for hours and got nothing. 我知道这个问题已经被问过无数次了，但是相信我我已经搜索了Google几个小时，却一无所获。 Whatever is out there, it's for MVC, which I'm not using. 无论那里有什么，它都用于我不使用的MVC。

My requirement is simple. 我的要求很简单。 I do not want to use the default authentication provided in asp.net. 我不想使用asp.net中提供的默认身份验证。 I would store the username/password/role in my custom SQL Server table. 我会将用户名/密码/角色存储在自定义SQL Server表中。 I'll provide 2 inputs for username/password and a button to validate. 我将为用户名/密码提供2个输入，并提供一个验证按钮。 On validation, he is allowed access to the admin areas. 验证后，他被允许访问管理区域。 This will only be used by admin guys at my subdomain "admin. * .com". 这只会由我的子域“ admin。 * .com”中的管理员使用。 They will use this page to add content to the website on daily basis. 他们将每天使用此页面向网站添加内容。

How do I implement it. 我该如何实施。 A tutorial link would suffice. 教程链接就足够了。
Is it safe for Production? 生产安全吗？ I don't want some newbie hacker getting in to my site and mess it up. 我不希望一些新手黑客进入我的网站并将其弄乱。 If not safe, what else option do I have. 如果不安全，我还有什么选择。

Thanks, Dev 谢谢，开发人员

4 个解决方案

You can create your own custom membership provider which has the features you are looking for. 您可以创建自己的具有所需功能的自定义成员资格提供程序。 asp.net membership provider asp.net会员提供者

Its best to use the tried and tested method for security purposes. 出于安全目的，最好使用久经考验的方法。 Remember you can customise any providers including role providers or even create your own unique providers. 请记住，您可以自定义任何提供程序，包括角色提供程序，甚至可以创建自己的唯一提供程序。

Here is an example how to LDAP authentication using ASP.NET 1.1 . 这是一个使用ASP.NET 1.1进行LDAP身份验证的示例。 The logic may still be applicable or can be adapted to later versions of ASP.NET, although I have not tested it. 该逻辑可能仍然适用，也可以适用于更高版本的ASP.NET，尽管我尚未对其进行测试。

Using the built-in membership providers, or implementing your own, is no guarantee that a hacker can't get access to your system. 使用内置成员资格提供程序或实现自己的成员资格提供程序，不能保证黑客无法访问您的系统。 Things you'll have to consider: 您必须考虑的事项：

encrypting data between client and server 客户端和服务器之间的数据加密
don't store passwords in the database, not even encrypted. 不要将密码存储在数据库中，甚至不进行加密。 Hash each password its own salt, if you can. 如果可以的话，将每个密码散列成自己的盐。
enforce strong password entropy . 加强强密码熵。
make sure session and authorization cookies are marked HttpOnly and Secure 确保会话和授权cookie标记为HttpOnly和Secure
for admin passwords, have a policy to change them frequently (like once a month) 对于管理员密码，有一项政策要经常更改（例如每月一次）
provide means to notify administrators when someone signs in to their accounts 提供在有人登录其帐户时通知管理员的方法
temporarily lock out ip address who exceeds number of requests per second and failed to authenticate 暂时锁定每秒超过请求数量且无法通过身份验证的IP地址
temporarily lock out users when they enter their password more then x (eg 10) number of times in an y number of minutes (eg 10). 当用户在y分钟（例如10分钟）内输入超过x（例如10）次密码时，暂时锁定用户。

These are just a handful of things to look for. 这些只是少数要寻找的东西。 You'll also have to concern yourself with session highjacking, javascript attacks and so forth. 您还必须关注会话劫持，javascript攻击等。

Its not a trivial matter. 这不是一件小事。

As per our comments, given your reluctance to implement an ASP.Net Membership provider (and it is worth the time to investigate - you may not feel that it is right now, but it can be handy. I felt the same way at first, but the cost of maintaining your own code and infrastructure soon proves to be false economy) you have at least two other choices: 根据我们的评论，鉴于您不愿实施ASP.Net成员资格提供程序（并且值得花时间进行调查-您可能不觉得现在是正确的，但是可能会很方便。起初，我有同样的感觉，但很快就会发现维护自己的代码和基础结构的成本是不合算的），您至少还有两个选择：

1) Straightforward Forms Authentication 1）简易表格认证

Put all of your admin pages under a single folder, for example, /Admin, then use Forms Authentication to protect access to this folder. 将所有管理页面都放在一个文件夹（例如/ Admin）下，然后使用“ 表单身份验证”来保护对此文件夹的访问。 Only users defined in the database or Web.Config will have access to these pages. 只有在数据库或Web.Config中定义的用户才能访问这些页面。 This is less flexible than ASP.Net membership, but may give you most of what you want. 这没有ASP.Net成员资格灵活，但可以为您提供大部分所需的服务。 In terms of security, this will be as secure as your website is, is well tested, and is well documented. 在安全性方面，这将与您的网站一样安全，经过良好测试并且有据可查。

2) Use Facebook OAuth 2）使用Facebook OAuth

You mentioned that your use has access to Facebook. 您提到您的使用可以访问Facebook。 You could use Facebook to do the authentication for you. 您可以使用Facebook进行身份验证。 Although you wont be able to grab the username and password, you can get a token back, that you can then validate against a known permission set. 尽管您将无法获取用户名和密码，但是可以找回令牌，然后可以根据已知的权限集进行验证。 This is a lot more work than 1) though and will tie you to potential future changes in the Facebook API. 但是，与1）相比，这项工作要多得多，并将使您与Facebook API未来的潜在变化联系在一起。 However, it also benefits from being well tested, and secure, but you have little to no control over the actual user information. 但是，它也将从经过良好测试和安全性中受益，但是您几乎无法控制实际用户信息。

As an aside, please also consider being nicer to Google! 顺便说一句，也请考虑对Google更好！

Writing a custom authentication handler is very dangerous. 编写自定义身份验证处理程序非常危险。 There are many ways to get it wrong and leave your website vulnerable to attack. 有很多方法可以解决该问题，并使您的网站容易受到攻击。

I also understand your complaint that Forms Authentication is extremely complicated. 我也理解您的投诉，即表单身份验证极其复杂。 I was faced at a similar cross roads and decided to build my own authentication system called FSCAuth . 我面临类似的十字路口，因此决定构建自己的身份验证系统FSCAuth 。 It's BSD licensed. 它是BSD许可的。 It's designed to be super simple and to allow for just about any database format you can image. 它的设计非常简单，几乎可以允许您使用任何数据库格式进行映像。 All that must be done to set it up is implement a small 4 function interface into your database and populate a few configuration fields. 设置它所要做的全部工作就是在数据库中实现一个小的4功能接口，并填充一些配置字段。