会话身份验证等同于 FormsAuthentication?
[英]Session Authentication equivalent to FormsAuthentication?
问题描述
I'm using a login form to authenticate users.
我正在使用登录表单对用户进行身份验证。
FormsAuthentication is right out as it stores sensitive user/role membership in either client-side in a cookie or within the URL. FormsAuthentication是正确的,因为它在客户端的 cookie 或 URL 中存储敏感的用户/角色成员资格。 Within the URL is a huge security risk, so I won't even get into that.在 URL 中存在巨大的安全风险,所以我什至不会涉及。 With the FormsAuthentication cookie, this creates problems with a) security where the client is in the position of dictating it's own roles;使用FormsAuthentication cookie,这会产生以下问题: and b) way too much data stored in cookies. b) cookie 中存储的数据太多。 Since I'm gaining nothing through security and loosing out big time on the size of user data storage, I'd rather just work with Sessions.由于我在安全方面一无所获,并且在用户数据存储的大小上浪费了大量时间,因此我宁愿只使用 Sessions。
I'd like to reuse something like FormsAuthentication for all its basic login form-handling features.我想为所有基本的登录表单处理功能重用FormsAuthentication类的东西。 But i would rather have it store user data server-side in perhaps Session rather than client-side all stuffed into a single cookie.但我宁愿让它在 Session 中存储服务器端的用户数据,而不是将客户端全部塞进一个 cookie 中。 I'd rather just authenticate against a Session token of some sort.我宁愿只针对某种会话令牌进行身份验证。
I have no database and local disk storage of user data is forbidden.我没有数据库,用户数据的本地磁盘存储被禁止。 I rely on a 3rd party authentication service provider, and a requirement is that I must reduce chatter with this service.我依赖 3rd 方身份验证服务提供商,并且要求我必须减少使用此服务的喋喋不休。 Thus, sessions for temporary storage of user info.因此,会话用于临时存储用户信息。 Sucks, but that's not necessarily the problem I'm asking about.很糟糕,但这不一定是我要问的问题。 Also, a requirement is that I must set/use HttpContext.user and likely Thread.CurrentPrincipal for use later on in such things as AuthorizeAttribute, for displaying user info in views, etc.此外,一个要求是我必须设置/使用 HttpContext.user 和可能的 Thread.CurrentPrincipal 以便稍后在诸如 AuthorizeAttribute 之类的事情中使用,用于在视图中显示用户信息等。
So FormsAuthentication stores all user data client-side in a cookie.因此FormsAuthentication将所有用户数据客户端存储在 cookie 中。 Whereas Session stores all data server-side and just relies on a simple client-side token cookie.而 Session 存储服务器端的所有数据,并且只依赖于一个简单的客户端令牌 cookie。 However, Session is not available anywhere during the asp.net startup and authentication steps.但是,在 asp.net 启动和身份验证步骤期间,Session 在任何地方都不可用。 Is there an equivalent forms "membership" provider that stores all data in Session server-side instead of client-side?是否有等效形式的“会员”提供程序将所有数据存储在会话服务器端而不是客户端?
If there is no Session equivalent...如果没有 Session 等价物...
- Where do I set HttpContext.user and Thread.CurrentPrincipal to make both values available throughout the rest of both MVC apps without interfering or messing up other MVC components?我在哪里设置 HttpContext.user和Thread.CurrentPrincipal 以使这两个值在两个 MVC 应用程序的其余部分都可用,而不会干扰或弄乱其他 MVC 组件?
- Hinging on #1, is Session available at that entry point?取决于#1,Session 在该入口点是否可用? If not, how do I make it available so I can create the Principle/Identity object using the data stored in Session?如果没有,我如何使其可用,以便我可以使用存储在 Session 中的数据创建 Principle/Identity 对象?
- This can't possibly be a unique requirement.这不可能是一个独特的要求。 Are there libraries already available which handle this?是否有可用的库来处理这个问题?
2 个解决方案
解决方案1
1 2012-11-19 01:19:19
Session stores information in a client-side cookie too! Session 也将信息存储在客户端 cookie 中! (or in the URL if cookieless). (如果没有 cookie,则在 URL 中)。
If you want to authenticate a client, he'll have to provide some kind of credentials - usually an encrypted token in a cookie once he has logged on.如果您想对客户端进行身份验证,他必须提供某种凭据 - 通常是登录后 cookie 中的加密令牌。 If not a cookie, then what do you propose?如果不是饼干,那你有什么建议?
You should use FormsAuthentication.您应该使用 FormsAuthentication。 The sensitive information stored in a client-side cookie is encrypted using a key that should only be known to the web server.存储在客户端 cookie 中的敏感信息使用只有 Web 服务器才知道的密钥进行加密。 "the encryption methods being public knowledge" doesn't mean that you can decrypt the data without access to the appropriate cryptographic key. “公开的加密方法”并不意味着您可以在不访问适当的加密密钥的情况下解密数据。
You mention "roles" and a "third-party authentication provider".您提到了“角色”和“第三方身份验证提供者”。 If your third party is also providing roles (ie an "authorization provider" as well as an "authentication provider"), then it would be reasonable to cache roles obtained from the provider on the server.如果您的第三方也提供角色(即“授权提供者”和“身份验证提供者”),那么在服务器上缓存从提供者获得的角色是合理的。 Session is not available when a request is being authorized, so the best solution is to use the Cache (System.Web.Caching.Cache).请求被授权时会话不可用,因此最好的解决方案是使用缓存(System.Web.Caching.Cache)。
Personally I would encapsulate this in acustom RoleProvider .我个人会将其封装在自定义 RoleProvider 中。 The custom RoleProvider would implement GetRolesForUser by getting roles from the third party on the first call, then caching them in Cache.自定义 RoleProvider 将通过在第一次调用时从第三方获取角色,然后将它们缓存在 Cache 中来实现GetRolesForUser 。
解决方案2
0 2012-11-19 02:15:03
Not sure if I like what I'm about to suggest, but you could do the following:不确定我是否喜欢我将要提出的建议,但您可以执行以下操作:
- Leverage the Application State or
System.Cacheas a global storage for user credentials.利用应用程序状态或System.Cache作为用户凭据的全局存储。 Use an InMemory database (like RavenDb) which can also have encryption (in memory, I believe).
使用 InMemory 数据库(如 RavenDb),它也可以加密(我相信在内存中)。Using the Application state as a place to storage relatively common / frequent stuff I think is not a great place because of
使用应用程序状态作为存储相对常见/频繁的东西的地方,我认为这不是一个好地方,因为- Scaling / locking issues?缩放/锁定问题? <-- just a gut feeling. <-- 只是一种直觉。
- Permenant data?永久数据? so you have users in the website's memory .. then the website crashes or recycles, etc... what happens now to that data?所以你有用户在网站的内存.. 然后网站崩溃或回收,等等...现在这些数据会发生什么?
- RavenDb is awesomeballs - go.use.it.now. RavenDb 很棒 - go.use.it.now。
- Scaling / locking issues?
I understand that you are not storing anything locally, so whenever a user hits your system, you need to refresh your inmemory cache, etc. Fine.我知道您没有在本地存储任何内容,因此每当用户访问您的系统时,您都需要刷新内存缓存等。很好。 A pain in the f'ing butt , but fine none-the-less.屁股有点痛,但还是不错的。 (EDIT: unless the data has been cached in memory .. that is) (编辑:除非数据已缓存在内存中......也就是说)
Anywys, two suggestions.无论如何,两个建议。
ProTip:专家提示:
Oh!哦! move away from role based shiz and start usingClaims based identity stuff.摆脱基于角色的 shiz 并开始使用基于声明的身份内容。 Yes, it still works with IPrincipal and HttpContext.User, etc. So all previous code is NOT busted.是的,它仍然适用于 IPrincipal 和 HttpContext.User 等。所以所有以前的代码都没有被破坏。 But now it's baked into .NET 4.5但现在它已融入 .NET 4.5
Awesome Video on this for you, me, everyone !为你,我,每个人制作的精彩视频!
Finally - bonus suggestion最后 - 奖金建议
A nice package that auth's with either Facebook/Google/Twitter.一个很好的包,可以通过 Facebook/Google/Twitter 进行身份验证。 You said you're keeping the user cred's on another site (good move!).你说你将用户信用保留在另一个站点上(好举措!)。 If you're using other providers, then stick with DNOA or SS.如果您使用其他提供商,请坚持使用 DNOA 或 SS。
GL!高!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.