1.Is的response.ClaimedIdentifier正确的资料片将存储对用户？

块引用>

的是的。并确保将其存储在数据库中的列区分大小写。下面是一个说明如何确保它是区分大小写的表架构。这出来的DotNetOpenAuth项目模板的数据库架构。指定的归类支架的情况下，CS有点敏感。

  CREATE TABLE [DBO]。[AuthenticationToken]（
    [AuthenticationTokenId] INT IDENTITY（1,1）NOT NULL，
    [用户ID] INT NOT NULL，
    [OpenIdClaimedIdentifier] NVARCHAR（250）COLLATE SQL_Latin1_General_CP1_CS_AS NOT NULL，
    [OpenIdFriendlyIdentifier] NVARCHAR（250）NULL，
    [CreatedOn] DATETIME NOT NULL，
    [LASTUSED] DATETIME NOT NULL，
    [UsageCount] INT NOT NULL
）;
 

  

2.Is FormAuthentication.SetAuthCookie的preferred方式窗体身份验证？还是有更好的办法？

块引用>

有关MVC应用程式，绝对是，因为你仍然可以回到你的$ P $从方法pferred 的ActionResult 。

  

3，当我打电话SetAuthCookie，有与除ClaimedIdentifier用户的数据。如果我一直指他们的用户ID，是一个更好的主意来创建用户，那么该用户ID存储在cookie而不是ClaimedIdentifier？

块引用>

这听起来像个人preference。不过，我通常会去与user_ID的，因为它可能每一个HTTP请求进入，需要你查找任何用户信息的时间导致更快的数据库查找。

  

4，如果我使用的用户ID在一些地方，我怎么无论是从cookie中检索，或者存放在别的地方更符合逻辑/有用吗？

块引用>

FormsAuthentication的确实的提供了一种方法来存储不仅仅是用户名的加密的cookie的更多信息，但它比你期望使用它更难。这个片断出来DotNetOpenAuth的Web SSO RP样本：

  const int的TimeoutInMinutes = 100; // TODO：从web.config文件中查找正确的价值
VAR票=新的FormsAuthenticationTicket（
    2，//使用FormsAuth幻数
    response.ClaimedIdentifier，//用户名
    DateTime.Now，
    DateTime.Now.AddMinutes（TimeoutInMinutes）
    假的，//记住我
    你额外的数据放在这里）;的HttpCookie饼干=新的HttpCookie（FormsAuthentication.FormsCookieName，FormsAuthentication.Encrypt（门票））;
Response.SetCookie（饼干）;
的Response.Redirect（的Request.QueryString [RETURNURL] ?? FormsAuthentication.DefaultUrl）;
 

然后你就可以在这个未来的HTTP请求的额外的数据得到：

  VAR饼干= HttpContext.Current.Request.Cookies [FormsAuthentication.FormsCookieName]
如果（饼干！= NULL）{
    VAR票= FormsAuthentication.Decrypt（cookie.Value）;
    如果（！string.IsNullOrEmpty（ticket.UserData））{
        //做一些很酷的额外的数据在这里
    }
}
 

This question is a bit of a structural/design question as I'm having trouble working out the best way to perform the task.

In my MVC app, I am using DotNetOpenAuth (3.4) as my login information provider and just using the standard FormsAuthentication for cookies etc.

The current user table in the DB has:

• UserId (PK, uniqueidentifier)
• OpenIdIdentifier (nvarchar(255))
• OpenIdDisplay (nvarchar(255))
• Displayname (nvarchar(50))
• Email (nvarchar(50))
• PhoneNumber (nvarchar(50))

As the UserId is the clear identifier for a user (they should be able to change their OpenId provider at a later date), it is the key that other tables link to (for a user).

This is the current code, that on a successfull authentication, creates a temporary user and redirects to Create Action.

        switch (response.Status)
        {
            case AuthenticationStatus.Authenticated:

                FormsAuthentication.SetAuthCookie(response.ClaimedIdentifier, false);

                var users = new UserRepository();
                if (!users.IsOpenIdAssociated(response.ClaimedIdentifier))
                {
                    var newUser = new DueDate.Models.User();
                    newUser.OpenIdIdentifer = response.ClaimedIdentifier;
                    newUser.OpenIdDisplay = response.FriendlyIdentifierForDisplay;

                    TempData["newUser"] = newUser;

                    return this.RedirectToAction("Create");
                }

And now for the crux of the question:

1. Is the response.ClaimedIdentifier the correct piece of information to be storing against a user?

2. Is FormAuthentication.SetAuthCookie the preferred way to forms authentication? Or is there a better way?

3. When I call SetAuthCookie, there is no data relating to the user except for the ClaimedIdentifier. If I'm consistently referring to their UserId, is a better idea to create the user, then store that UserId in the cookie instead of the ClaimedIdentifier?

4. If I'm using that UserId in a number of places, how do I either retrieve it from the cookie, or store it somewhere else more logical/useful?

A bit long winded but I've been having trouble trying to work out the best way to do this/

1.Is the response.ClaimedIdentifier the correct piece of information to be storing against a user?

Yes. And make sure the column you store it in the database with is case sensitive. Here is a table schema that demonstrates how to make sure it is case sensitive. This comes out of the DotNetOpenAuth project template's database schema. The "CS" bit of the specified collation stand for Case Sensitive.

CREATE TABLE [dbo].[AuthenticationToken] (
    [AuthenticationTokenId]    INT            IDENTITY (1, 1) NOT NULL,
    [UserId]                   INT            NOT NULL,
    [OpenIdClaimedIdentifier]  NVARCHAR (250) COLLATE SQL_Latin1_General_CP1_CS_AS NOT NULL,
    [OpenIdFriendlyIdentifier] NVARCHAR (250) NULL,
    [CreatedOn]                DATETIME       NOT NULL,
    [LastUsed]                 DATETIME       NOT NULL,
    [UsageCount]               INT            NOT NULL
);

2.Is FormAuthentication.SetAuthCookie the preferred way to forms authentication? Or is there a better way?

For MVC apps it definitely is, since you still can return your preferred ActionResult from the method.

3.When I call SetAuthCookie, there is no data relating to the user except for the ClaimedIdentifier. If I'm consistently referring to their UserId, is a better idea to create the user, then store that UserId in the cookie instead of the ClaimedIdentifier?

That sounds like personal preference. But I would typically go with user_id, since it might result in a faster database lookup every time an HTTP request comes in that requires you to look up any user information.

4.If I'm using that UserId in a number of places, how do I either retrieve it from the cookie, or store it somewhere else more logical/useful?

FormsAuthentication does provide a way to store more information in its encrypted cookie than just username, but it is harder than you'd expect to use it. This snippet comes out of DotNetOpenAuth's web SSO RP sample:

const int TimeoutInMinutes = 100; // TODO: look up the right value from the web.config file
var ticket = new FormsAuthenticationTicket(
    2, // magic number used by FormsAuth
    response.ClaimedIdentifier, // username
    DateTime.Now,
    DateTime.Now.AddMinutes(TimeoutInMinutes),
    false, // "remember me"
    "your extra data goes here");

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
Response.SetCookie(cookie);
Response.Redirect(Request.QueryString["ReturnUrl"] ?? FormsAuthentication.DefaultUrl);

Then you can get at that extra data in a future HTTP request with this:

var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null) {
    var ticket = FormsAuthentication.Decrypt(cookie.Value);
    if (!string.IsNullOrEmpty(ticket.UserData)) {
        // do something cool with the extra data here
    }
}