asp.net 认证与授权

1.下面的例子在web.config文件中配置网站使用asp.net forms 身份认证方式：

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="MyAppCookie"
                   loginUrl="~/Login.aspx"
                   protection="All"
                   timeout="30" path="/" />
        </authentication>
        ...
    </system.web>
</configuration>

Forms 认证设置：

属性	描述
name	The name of the HTTP cookie to use fo r authentication (defaults to .ASPXAUTH). If multiple applications are running on the same web server, you should give each application’s security cookie a unique name.
loginUrl	Your custom login page, where the user is redirected if no valid authentication cookie is found. The default value is Login.aspx.
protection	The type of encryption and validation used for the security cookie (can be All, None, Encryption, or Validation). Validation ensures the cookie isn’t changed during transit,and encryption (typically Triple-DES) is used to encode its contents. The default value is All.
timeout	The number of idle minutes before the c ookie expires. ASP.NET will refresh the cookie every time it receives a request. The default value is 30.
path	The path for cookies issued by the app lication. The default value (/) is recommended, because case mismatches can prevent the c ookie from being sent with a request.

 

2.Authorization Rules(授权规则)

<authorization>
    <allow users="*" />
    <deny users="?" />
</authorization>

When evaluating rules, ASP.NET scans through the list from top to bottom and then continues with the settings in any .config file inherited from a parent directory, ending with the settings in the base machine.config file. As soon as it finds an applicable rule, it stops it s search. Thus, in the previous case, it will determine that the rule <allow  users="*"> applies to the current request and will not evaluate the second line. This means these rules will allow all users, including anonymous users.

<authorization>
    <deny users="?" />
    <allow users="*" />
</authorization>

Now these rules will deny anonymous users (by matching the first rule) and allow all other users (by matching the second rule).

3.The Login Page(登录页)

ASP.NET provides a special FormsAuthentication class in the System.Web.Security namespace, which provides static methods that help manage the process.

public partial class Login : System.Web.UI.Page
{
    protected void cmdLogin_Click(Object sender, EventArgs e)
    {
        if (txtPassword.Text.ToLower() == "secret")
        {
            FormsAuthentication.RedirectFromLoginPage(
              txtName.Text, false);
        }
        else
        {
            lblStatus.Text = "Try again.";
        }
    }
}

The RedirectFromLoginPage() method requires two parameters. The first sets the name of the user. The second is a Boolean variable that specifies whether you want to create a persistent cookie (one that stays on the user’s hard drive for a longer period of time).

4.Retrieving the User’s Identity

Once the user is logged in, you can retrieve the identity through the built-in User property, as shown here:

protected void Page_Load(Object sender, EventArgs e)
{
    lblMessage.Text = "You have reached the secured page, ";
    lblMessage.Text += User.Identity.Name + ".";
}

5.Signing Out

private void cmdSignOut_Click(Object sender, EventArgs e)
{
    FormsAuthentication.SignOut();
    Response.Redirect("~/Login.aspx");
}

6.Persistent Cookies(持久cookie)

A persistent authentication cookie remains on the user’s hard drive and keeps the user signed in for hours, days, or weeks—even if the user closes and reopens the browser.

Creating a persistent cookie requires a bit more code than creating a standard forms authentication cookie. Instead of using the RedirectFromLoginPage() method, you need to manually create the authentication ticket, set its expiration time, encrypt it , attach it to the request, and then redirect the user to the requested page. All of these tasks are easy, but it’s important to perform them all in the correct order.

The following code examines a check box named chkPersist. If it’s selected, the code creates a persistent cookie that lasts for 20 days：

// Perform the authentication.
if (txtPassword.Text.ToLower() == "secret")
{
    if (chkPersist.Checked)
    {
        // Use a persistent cookie that lasts 20 days.
        // The timeout must be specified as a number of minutes.
        int timeout = (int)TimeSpan.FromDays(20).TotalMinutes; 

        // Create an authentication ticket.
        FormsAuthenticationTicket ticket = new
          FormsAuthenticationTicket(txtName.Text, true, cookietimeout); 

        // Encrypt the ticket (so people can't steal it as it travels over
        // the Internet).
        string encryptedTicket = FormsAuthentication.Encrypt(ticket); 

        // Create the cookie for the ticket, and put the ticket inside.
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
          encryptedTicket);
        // Give the cookie and the authentication ticket the same expiration.
        cookie.Expires = ticket.Expiration;  

        // Attach the cookie to the current response. It will now travel back to
        // the client, and then back to the web server with every new request.
        HttpContext.Current.Response.Cookies.Set(cookie); 

        // Send the user to the originally requested page.
        string requestedPage = FormsAuthentication.GetRedirectUrl(txtName.text,
          false);
        Response.Redirect(requestedPage, true);
    }
    else
    {
        // Use the standard authentication method.
        FormsAuthentication.RedirectFromLoginPage(
          txtName.Text, false);
    }
}

It’s worth noting that the FormsAuthentication.SignOut() method will always remove the forms authentication cookie, regardless of whether it is a normal cookie or a persistent cookie.