使用窗体身份验证
但是只保护.aspx,.asmx,.ashx。但不包括普通的HTML页面或经典asp 页面。
Void LogonUser(
object
sender, EventArgs e)
{
string user = userName.Text;
string pswd = passWord.Text;
//Custom authentication
bool bAuthenticated = AuthenticateUser(user,pswd);
if (bAuthenticated)
FormsAuthentication.RedirectFromLoginPage(user,false);
else
errorMsg.Text = "Sorry,yours seems not to be a valid account.";
{
string user = userName.Text;
string pswd = passWord.Text;
//Custom authentication
bool bAuthenticated = AuthenticateUser(user,pswd);
if (bAuthenticated)
FormsAuthentication.RedirectFromLoginPage(user,false);
else
errorMsg.Text = "Sorry,yours seems not to be a valid account.";
对用户进行身份验证:
private
bool
AuthenticateUser(
string
username,
string
pswd)
{
// Performs authentication here
string connString = ConfigurationManager.ConnectionStrings["LocalNWind"].ConnectionString;
string cmdText = "SELECT COUNT(*) FROM employees WHERE firstname=@user AND lastname=@pswd";
int found = 0;
using (SqlConnection conn = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand(cmdText, conn);
cmd.Parameters.Add("@user", SqlDbType.VarChar, 10).Value = username;
cmd.Parameters.Add("@pswd", SqlDbType.VarChar, 20).Value = pswd;
conn.Open();
found = (int)cmd.ExecuteScalar();
conn.Close();
}
return (found > 0);
}
{
// Performs authentication here
string connString = ConfigurationManager.ConnectionStrings["LocalNWind"].ConnectionString;
string cmdText = "SELECT COUNT(*) FROM employees WHERE firstname=@user AND lastname=@pswd";
int found = 0;
using (SqlConnection conn = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand(cmdText, conn);
cmd.Parameters.Add("@user", SqlDbType.VarChar, 10).Value = username;
cmd.Parameters.Add("@pswd", SqlDbType.VarChar, 20).Value = pswd;
conn.Open();
found = (int)cmd.ExecuteScalar();
conn.Close();
}
return (found > 0);
}
强密码支持:
SELECT
COUNT
(
*
)
FROM
employees
WHERE
CAST ( RTRIM (firstname) AS VarBinary ) = CAST ( RTRIM ( @user ) AS VarBinary )
AND
CAST ( RTRIM (lastname) AS VarBinary ) = CAST ( RTRIM ( @paswd ) AS VarBinary )
CAST ( RTRIM (firstname) AS VarBinary ) = CAST ( RTRIM ( @user ) AS VarBinary )
AND
CAST ( RTRIM (lastname) AS VarBinary ) = CAST ( RTRIM ( @paswd ) AS VarBinary )
窗体身份验证的配置
1、<forms>节
<
forms name
=
"
cookies
"
loginUrl
=
"
url
"
protection = " All|None|Encryption|Validation "
timeout = " 30 " requireSSL = " true|false " path = " / "
slidingExpiration = " true|false "
enableCrossAppsRedirects = " true|false "
cookieless = " UseCookies|useUri|AutoDetect|UseDeviceProfile " defaultUrl = " url " domain = " string " >
</ forms >
protection = " All|None|Encryption|Validation "
timeout = " 30 " requireSSL = " true|false " path = " / "
slidingExpiration = " true|false "
enableCrossAppsRedirects = " true|false "
cookieless = " UseCookies|useUri|AutoDetect|UseDeviceProfile " defaultUrl = " url " domain = " string " >
</ forms >
Asp.NET2.0中的无cookie窗体身份验证
对一个经过身份验证的用户,为他提供服务的页面的URL,遵循如下所示的模式:
http:
//
YourApp/(F(XYZ1234))/samples/default.aspx
票被正确地编码成一个符合URL标准的字符,并正好插入URL中的服务器名称后面。无cookie身份验证要求用一个ISAPI筛选器来截取该请求,提取票据,并把正确的路径重新写入应用程序。该筛选器还作为另一个请求头提供身份验证票据。使用aspnet_filter.dll组件来解析URL。为了避免混淆,URL中填充的每种额外信息用惟一的限定符进行封装:会话ID用S(...),身份验证票据用F(...)。筛选器提取URL装饰,并把票据信息放入一个名为AspAuthenticationTicket的头中。
窗体验证是不安全的。1、用户票据以明文的形式发出,SSL可以用来保护通信,但是最终,窗体身份验证和IIS基本身份验证一样弱。所以一个盗取的身份验证cookie只要它有效,那就可以用来计划重放攻击。但是如果使用无cookie解决方案则无法解决此问题。
窗体身份验证基于程序代码。可以在程序代码级加强身份验证。这可以用Asp.NET2.0的成员资格API来加强。
所以综上所述,Microsoft的窗体验证方式还是不安全的,尽管可以在代码级加强程序的安全性,但是你的基础是脆弱的,就像楼下开着门,你加固楼上的窗户来防小偷一样的,觉得很可笑的。所以还是要加强对于窗体身份验证的票据的保护的问题。如果使用 cookies可以用缩短其有效期,比如说立即过期来加强;如果不是用cookies,那么既使加密了也是没有办法的,这可以自己做一个加密的的函数来执行。在程序中采用一种计算方法,到那边再进行验证。