English 中文(简体)
Asp.Net mvc authentication, where do I put a custom session key?
原标题:

I have a user database, to which I have access trough a web service. One of the web service method is something like this:

public void login(string name, string password, out user_key)

and in my controller I want to do something like this:

String key = repo.login(username, password); // a wraper on the login method
if(key ....)
    FormsAuthentication.SetAuthCookie(username, false);

And my questions, here they come: This key is used for retrieving specific user data. Where do I put the key, so that I can have access to it? I mean is there a method for the FormsAuthentication class, because saying something like: Session["key"] = key doesn t look like a good practice to me. And what is the good practice here? so that bad-guys won t hack my session.

最佳回答

Sessions are separated from the authentication cookie in ASP.NET, so in order to take over a session the attacker would have to replicate both the authentication cookie and the session cookie.

You can write user information as part of the authentication ticket by using one of the constructors which accept userData before generating it and then reading it via the UserData property. Be aware though if this user key is sensitive then you may want to encrypt the authentication cookie. This is the default in ASP.NET but it s worth being specific and putting

<forms protection="All" >

into your web.config

时间:2009-11-16 15:24:48
问题回答

Don t quite understand what do you mean by

Session["key"] = key doesn t look like a good practice to me

I ve been using something like Controller.HttpContext.Session for the longest period of time and don t feel slightest guilt at all.

If you want to worry about being hacked, then you should make sure that your GET parameter are properly sanitized before they are passed into database. That s important.

时间:2009-11-16 15:23:05


上一篇:
下一篇:


相关问题
WebForms and ASP.NET MVC co-existence

I am trying to make a WebForms project and ASP.NET MVC per this question. One of the things I ve done to make that happen is that I added a namespaces node to the WebForms web.config: <pages ...

时间:2009-11-13 05:33:15 回答:2 展示:1
Post back complex object from client side

I m using ASP.NET MVC and Entity Framework. I m going to pass a complex entity to the client side and allow the user to modify it, and post it back to the controller. But I don t know how to do that ...

时间:2009-11-13 05:30:52 回答:3 展示:1
Create an incremental placeholder in NHaml

What I want to reach is a way to add a script and style placeholder in my master. They will include my initial site.css and jquery.js files. Each haml page or partial can then add their own required ...

时间:2009-11-09 15:46:55 回答:1 展示:1
asp.net mvc automapper parsing

let s say we have something like this public class Person { public string Name {get; set;} public Country Country {get; set;} } public class PersonViewModel { public Person Person {get; ...

时间:2009-11-09 15:37:07 回答:3 展示:1
structureMap mocks stub help

I have an BLL that does validation on user input then inserts a parent(PorEO) and then inserts children(PorBoxEO). So there are two calls to the same InsertJCDC. One like this=>InsertJCDC(fakePor)...

时间:2009-11-09 15:17:25 回答:1 展示:1
ASP.NET MVC: How should it work with subversion?

So, I have an asp.net mvc app that is being worked on by multiple developers in differing capacities. This is our first time working on a mvc app and my first time working with .NET. Our app does not ...

时间:2009-11-09 15:09:28 回答:6 展示:1
System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

时间:2009-11-05 09:38:39 回答:2 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全