How does ASP.NET Forms Authentication really work?

最新推荐文章于 2024-07-13 18:10:19 发布
最新推荐文章于 2024-07-13 18:10:19 发布
阅读量49 收藏
点赞数
文章标签: 数据库
原文链接:http://www.cnblogs.com/chucklu/p/11172034.html
版权

I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Forms Authentication, but how does forms authentication work in the background?

 

With the help of a good article, this is how I understand the process (assuming that the user's browser has cookies enabled)...

 

  1. User tries to access restricted page.
  2. Server looks for ASPXAuth cookie in the request but does not find it.
  1. Server redirects user to Login page as configured in web.config.
  1. User enters username and password and posts to the server.
  2. Server authenticates username and password against store. If valid...
  3. Server sets the Forms Authentication Ticket.
  1. The ticket contains (among other things) the userName, IsPersistent and the ExpirationDate.
  2. The ticket is encrypted and signed using keys from the <machineKey> configuration element (either from web.config or from machine.config)
  3. The ticket is stored in a cookie called ASPXAuth, or in the user's URL.
  1. Server redirects user back to the referring URL.
  2. User's browser requests original restricted page again. This time with the ASPXAuth cookie in the request.
  3. Server looks for ASPXAuth cookie and finds it.
  4. Server decrypts Forms Authentication Ticket  found in the cookie.
  5. Server checks expiration on ticket. If this is still valid...
  6. Server now knows that the user is authenticated and knows the UserName. From here authorization can take place (i.e. code can call the database and find out if the user has access to specific features on the page)

 

That seems to make sense. The interesting thing about this process is that Session State is not involved at all.
 
 

转载于:https://www.cnblogs.com/chucklu/p/11172034.html

weixin_30686845
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
aspnet-formsauthentication-js:ASP.NET FormsAuthentication的最小JavaScript实现
05-05
ASP.NET FormsAuthentication是一个用于身份验证的核心组件,它在.NET Framework中为Web应用程序提供了一种管理用户登录状态的方式。这个组件允许开发者将用户凭据安全地存储,并在用户访问受保护的页面时验证这些...
ASP.NET Core Authentication认证实现方法
12-17
ASP.NET Core Authentication是微软开发框架中的一个重要组成部分,用于处理应用程序的身份验证和授权。这个系统允许开发者轻松地集成各种身份验证机制,例如JWT(JSON Web Tokens)或其他令牌验证方案。在这个场景...
ASP.NET Session and Forms Authentication and Session Fixation
weixin_30265171的博客
10-12 78
https://peterwong.net/blog/asp-net-session-and-forms-authentication/ The title can be misleading, because in concept, one is not related to the other. However, a lot of web applications mix them u...
ASP.NET authentication and authorization
乌 的专栏
06-06 1581
关于Authentication和Authorization的入门级介绍。 Introduction This article will discuss how to implement ASP.NET authentication and authorization. This article initially starts with authentication
asp.net Authentication(认证) vs. Authorization(授权)
wch_hit的专栏
11-29 2094
ASP.NET authentication and authorizationBy Shivprasad koirala | 15 Aug 2010 | Unedited contribution Part of The SQL Zone . ASP.NET authentication and authorization Prize winner in Competition "Best ASP.NET article of August 2010" Updated with Ne
How to set the Default Page in ASP.NET?
cxu123321的博客
08-07 498
How to set the Default Page in ASP.NET? Ask Question Asked9 years, 7 months ago Active3 months ago Viewed219k times 127 34 Is there any section or code which allows us to set default p...
Mixing Forms and Windows Security in ASP.NET
dql's blog
02-22 608
Paul Wilson, MVPWilsonDotNet.comJanuary 2004 Applies to:   Microsoft® ASP.NET Summary: ASP.NET developers have been asking for a way to combine Forms and Windows security. Paul Wilson provid
转:ASP.NET Web Services or .NET Remoting: How to Choose
weixin_30815427的博客
08-10 196
ASP.NET Web Services or .NET Remoting: How to Choose Priya DhawanTim EwaldMicrosoft Developer Network September 2002 Applies to:Microsoft® ASP.NET Web servicesMicrosoft® .NET Framework...
how to prevent multiple login for same user in asp.net
Jane
05-05 1915
http://bytes.com/topic/asp-net/answers/890252-how-prevent-multiple-login-same-user-asp-netThis answer will depend on how you implement the login component of your application.Most of the time the login is associated with the browser that the user is workin
ASP.NET Practical Technique
lilin818的专栏
03-02 506
1. Building ASP.NET PagesASP.NET and the .NET FrameworkASP.NET is part of Microsoft's overall .NET framework, which contains a vast set of programming classes designed to satisfy any conceivable programming need. In the following two sections, you learn ho
asp.net forms身份验证,避免重复造轮子
10-29
ASP.NET Forms 身份验证是ASP.NET框架内建的一种安全机制,用于管理用户登录和授权。在传统的ASP应用中,通常使用Session和Cookie来实现用户的身份验证,但这种方式需要手动处理许多细节。Forms身份验证则提供了更为...
ASP.NET Forms身份认证
10-20
ASP.NET Forms身份认证是ASP.NET应用程序中用于管理用户身份和权限的一种机制。它允许开发者创建安全的Web应用,确保只有经过验证的用户才能访问特定的页面或功能。在ASP.NET中,身份验证模式可以设置为多种类型,如...
set user & password for database 设置数据库 用户和密码
DavidsonGong的博客
07-12 139
USE sbms;
7.10飞书一面面经
东篱君的博客
07-10 1174
B+树的⾮叶⼦节点不存放实际的记录数据,仅存放索引,所以数据量相同的情况下,相⽐存储即存索引⼜存记录的 B 树,B+树的⾮叶⼦节点可以存放更多的索引,因此 B+ 树可以⽐ B 树更「矮胖」,查询底层节点的磁盘 I/O次数会更少。主从复制:单节点Redis的并发能力是有上限的,要进一步提高Redis的并发能力,可以搭建主从集群,实现读写分离。B+ 树有⼤量的冗余节点(所有⾮叶⼦节点都是冗余索引),这些冗余索引让 B+ 树在插⼊、删除的效率都更⾼,⽐如删除根节点的时候,不会像 B 树那样会发⽣复杂的树的变化;
mysql笔记1
m0_62975692的博客
07-11 344
首先查看systemctl status mysqld,如果是关闭的可以进入的配置文件打开mysql,我的mysql配置文件就是在/usr/local/mysql/support-filess/下,在此目录下执行./mysql.server start,打开mysql服务,也可以通过systmectl start mysqld,如果你嫌麻烦的话可以systemctl enable mysqld 一直打开mysql的服务;重新给字段添加约束的时候不可以添加not null约束的!
Redis集群和高可用
最新发布
xiaogengtongxu的博客
07-13 395
主从架构无法实现master和slave角色的自动切换,即当master出现redis服务异常、主机断电、磁盘损坏等问题导致master无法使用,而redis主从复制无法实现自动的故障转移(将slave 自动提升为新master),需要手动修改环境配置,才能切换到slave redis服务器,另外当单台Redis服务器性能无法满足业务写入需求的时候,也无法横向扩展Redis服务的并行写入性能。master和slave角色的无缝切换,让业务无感知从而不影响业务使用。
Redis数据结构-String篇
时间如瑾 代码如诗
07-12 884
对⼀个内部表示成long型的string执行append, setbit, getrange这些命令,针对的仍然是string的值(即⼗进制表示的字符串),而不是针对内部表⽰的long型进⾏操作。因此,在这些命令的实现中,会把long型先转成字符串再进行相应的操作。String 的内部存储结构⼀般是 sds(Simple Dynamic String,可以动态扩展内存),但是如果⼀个String 类型的 value 的值是数字,那么 Redis 内部会把它转成 long 类型来存储,从⽽减少内存的使用。
ASP.NET编程知识】ASP.NET Forms身份认证详解.docx
05-15
ASP.NET中,可以通过调用`FormsAuthentication.SignOut()`方法或清除cookie来完成登出操作。 受保护的页面和登录页面在web.config文件中进行配置,可以定义哪些URL需要身份验证,以及登录失败后的重定向地址。...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值