分享程序员开发的那些事...
更新时间:2023-12-04 10:22:34
使用表单身份验证时,唯一为每个请求验证的是cookie包含有效的表单身份验证票证并且票证尚未过期。
如果要检查票证是否仍然代表会员店中的有效用户,则需要添加该票据对每个请求。最简单的解决方案可能是使用自定义IHttpModule:public sealed class MembershipValidationModule:IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
if (context == null ) throw new ArgumentNullException( nameof (context));
context.PostAuthenticateRequest + =(s,e)= >
{
var app = s as HttpApplication;
if (app?.Context!= null )
{
OnAuthenticated( new HttpContextWrapper(app.Context));
}
};
}
private static void OnAuthenticated([NotNull] HttpContextBase context)
{
if (IsFormsAuthenticated(context.User))
{
var user = Membership.GetUser();
if (user == null ||!user.IsApproved)
{
FormsAuthentication.SignOut();
context.User = null ;
}
}
}
private static bool IsFormsAuthenticated(IPrincipal用户)
{
if (user = = null ||!user.Identity.IsAuthenticated) return 假跨度>;
return string .Equals(user.Identity.AuthenticationType, Forms,StringComparison.OrdinalIgnoreCase);
}
}
< configuration >
< system.webServer >
< 验证 validateIntegratedModeConfiguration = false / >
< modules >
< add
name = MembershipValidationModule
preCondition = managedHandler
type = YourNamespace.MembershipValidationModule,YourAssembly
/ >
< / modules >
< / system.webServer >
< / configuration > ; 跨度>
Hey,
I asked a similar question a couple of days ago, but I don't see the same effect as described.
Essentially, I use ASP with form authentication. I manage users with a membership provider, but it has been pretty extensively customized.
It is possible that a user might have permissions removed whilst they are logged in. I was to kick them out asap.
I use signalr in my apps, and I now check the user permissions on each and every hub query. Authorization failure caused the client to navigate to a page that logs them out (with a harshly worded message letting them know that they've been kicked out).
I had assumed, and was informed that, when the user navigates to a new page after losing authorization that asp would check the users permissions again. It doesn't.
Do I have to add checks into each page or is there a setting I'm missing?
Any advice is welcome ^_^
Thanks
Andy
What I have tried:
I use Signalr for SPAs which checks authorisation so in most cases the effect is there for my apps, but my colleagues mostly use page navigation to control workflow and don't use SignalR.
We can check authorisation on every page load, but I has heard that this is done automagically. Is there a setting or a simple app wide fix?
With forms authentication, the only thing that's validated for each request is that the cookie contains a valid forms authentication ticket, and that the ticket has not expired.
If you want to check that the ticket still represents a valid user in your membership store, then you need to add that check to each request. The simplest solution is probably to use a customIHttpModule:public sealed class MembershipValidationModule : IHttpModule { public void Dispose() { } public void Init(HttpApplication context) { if (context == null) throw new ArgumentNullException(nameof(context)); context.PostAuthenticateRequest += (s, e) => { var app = s as HttpApplication; if (app?.Context != null) { OnAuthenticated(new HttpContextWrapper(app.Context)); } }; } private static void OnAuthenticated([NotNull] HttpContextBase context) { if (IsFormsAuthenticated(context.User)) { var user = Membership.GetUser(); if (user == null || !user.IsApproved) { FormsAuthentication.SignOut(); context.User = null; } } } private static bool IsFormsAuthenticated(IPrincipal user) { if (user == null || !user.Identity.IsAuthenticated) return false; return string.Equals(user.Identity.AuthenticationType, "Forms", StringComparison.OrdinalIgnoreCase); } }
<configuration> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <add name="MembershipValidationModule" preCondition="managedHandler" type="YourNamespace.MembershipValidationModule, YourAssembly" /> </modules> </system.webServer> </configuration>