HttpContext.Current.User对于无状态会话是否安全?
[英]Is HttpContext.Current.User Safe for Stateless Session?
问题描述
I have been using Azure Websites for couple of months and I decided to migrate to Cloud Services for SSL reasons. 
我已经使用Azure网站几个月了,出于SSL原因,我决定迁移到Cloud Services。 Since, I might need couple of web roles in my project, my session management need to be stateless. 由于在我的项目中可能需要几个Web角色,因此会话管理必须是无状态的。
This is how I deal with user data in my project. 这就是我处理项目中用户数据的方式。 If I need user related data I get their username via HttpContext.Current.User.Identity.Name . 如果我需要与用户相关的数据,则可以通过HttpContext.Current.User.Identity.Name获取其用户名。 Using this info I query my database to fetch information about my users. 使用此信息,我查询数据库以获取有关用户的信息。
Is this to correct way to do it ? 这是正确的方法吗? I made some research but could not find really clear info about where HttpContext.Current.User comes from. 我进行了一些研究,但找不到关于HttpContext.Current.User来源的真正清晰的信息。
So far, this is what I understand. 到目前为止,这是我的理解。 User authenticates with Forms Authentication which creates a cookie in users PC. 用户通过表单身份验证进行身份验证,该身份验证在用户PC中创建一个cookie。 When server is requested by user again, server checks the cookie info and uses it to fill HttpContext object. 当用户再次请求服务器时,服务器检查cookie信息并使用它来填充HttpContext对象。 If one of the other web roles takes the request next time, could it use that cookie to fill HttpContext ? 如果其他Web角色之一下次接受请求,是否可以使用该Cookie填充HttpContext? (this could be all wrong, as I said this is what I understand from docs and other answers on web) (这可能全都错了,正如我所说的,这是我从文档和网络上的其他答案中了解到的)
That is what I am trying to understand basically. 这就是我想基本理解的内容。 I hope I explained my problem clear enough. 我希望我的问题解释得足够清楚。 Let me know If it is not clear. 让我知道是否不清楚。
2 个解决方案
解决方案1
2 2013-01-28 22:39:59
I am using HttpContext.Current.User.Identity in an Azure app running on multiple web roles with SessionState disabled without any problems. 我在运行多个Web角色的Azure应用中使用HttpContext.Current.User.Identity,并且已禁用SessionState且没有任何问题。 I have set it up to use Cookies. 我已将其设置为使用Cookies。
<authentication mode="Forms">
<forms loginUrl="~/Account/LogIn" cookieless="UseCookies" timeout="2880" />
</authentication>
解决方案2
2 已采纳 2013-01-29 01:59:29
I think your understanding is correct. 我认为您的理解是正确的。 When we use FormAuthentication, there will be a cookie generated once logged in, with the user information and something like token encrypted. 当我们使用FormAuthentication时,登录后将生成一个cookie,其中包含用户信息和诸如令牌之类的加密信息。 Then we we request another page, browser will send this cookie to the server and ASP.NET will decrypt the cookie, validate and fill the user information into HttpContext.Current.User, no matter how many instances on your server side. 然后,我们请求另一个页面,浏览器会将此cookie发送到服务器,而ASP.NET将解密该cookie,验证用户信息并将其填充到HttpContext.Current.User中,无论您的服务器端有多少个实例。 So I think it's safe to use HttpContext.Current.User in a web role with multi-instance. 因此,我认为在具有多实例的Web角色中使用HttpContext.Current.User是安全的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.