stackoom
  简体   繁体   中英

Simple temporary authentication without a username or password

 原文  2014-10-31 18:32:28       asp.net/ asp.net-mvc/ authentication

Question

I need to add some authorization/authentication logic to an existing web form. Essentially, a user will enter their email address, then I check that email address against an existing database, and if it exists I send an email to that address containing an activation link to the web application. Once the user clicks that link, I want their client to be considered "authorized" for a short amount of time (like their browser session, for instance). They can then access certain pages until their authentication expires.

This would be extremely easy to do using custom ASP.NET forms authentication, but after doing some research there seems to be many more options today in terms of authorization/authentication. Things like ASP.NET Identity 2, Katana/OWIN, and more, it is getting to be quite overwhelming.

I'm looking for suggestions on the simplest way to currently implement something like this in an MVC4 application. I should be able to upgrade the application to MVC5 if necessary.

2 answers

solution1
 1  2014-10-31 20:27:54

This is essentially the same process most password resets use, so you can pretty much approach it the same way:

  1. Create a table to track these "authentications". You pretty much just need a column for the token, a column for a datetime, a column for a boolean. The datetime can either track the creation date and time of the token, which you'd then use in your code to calculate if it's too old based on your desired time frame, or you can track the expire date and time of the token and then simply check in your code if that expire date has passed or not. The boolean would track whether the email address has been confirmed, via having followed the link with token in the email you send out.

  2. In your initial form, you collect the email address and combine this with a salt and one-way encryption to produce a token. You send the email with a link that includes that token. Save the token and the appropriate datetime value in your table.

  3. On the page the user goes to after clicking the link, you use the token from the URL to lookup the matching row in your table, check the date value, and set the boolean to true for confirmed. Then, store the token in Session .

  4. On each subsequent request, check 1) there's a token in Session and 2) that that token is still valid (lookup it up in the database and check the datetime and confirmed status). If the token doesn't exist or is no longer good, delete the row, remove the token from Session , and redirect the user to the original email address collection form. Otherwise, allow the user to view whatever content is there.

solution2
 0  2014-10-31 18:49:35

The simplest way, is to have a database table for the users, and do checking for user authentication and if it's use FormsAuthentication.RedirectFromLoginPage, The identity framework gives you more options for security and encryption also for group and role management.

http://msdn.microsoft.com/en-us/library/ka5ffkce(v=vs.110).aspx

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use windows authentication without username/password iis authentication username password Authenticate without username and password Windows Authentication prompts for username/password AD Authentication Unknown username or bad password Store username and password ASP.NET authentication Forms Authentication with More than Username and Password Is it possible to have a simple user-password authentication without having a login form? Setting up SMTP loally without username, password Hashing username/password values during asp.net forms authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM