您的位置：首页 > 编程语言 > ASP

Authentication in asp.net

2017-11-08 18:31 453 查看

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

authenticationElement(ASP.NETSettingsSchema)

ConfiguresanASP.NETapplicationforcustomforms–basedauthentication.

<authenticationmode="Windows">
<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfile"domain=""
enableCrossAppRedirects="false">
<credentialspasswordFormat="SHA1"/>
</forms>
<passportredirectUrl="internal"/>
</authentication>

<forms>Element

loginUrlSpecifiestheURLtowhichtherequestisredirectedforlogonifnovalidauthenticationcookieisfound.Thedefaultvalueisdefault.aspx.

nameSpecifiestheHTTPcookietouseforauthentication.Bydefault,thevalueofnameis.ASPXAUTH.Ifmultipleapplicationsarerunningonasingleserverandeachapplicationrequiresauniquecookie,youmustconfigurethecookienameineachapplication'sWeb.configfile.

timeoutSpecifiestheamountoftime,inintegerminutes,afterwhichthecookieexpires.Thedefaultvalueis30.IftheSlidingExpirationattributeistrue,thetimeoutattributeisaslidingvalue,expiringatthespecifiednumberofminutesafterthetimethelastrequestwasreceived.Topreventcompromisedperformance,andtoavoidmultiplebrowserwarningsforusersthathavecookiewarningsturnedon,thecookieisupdatedwhenmorethanhalfthespecifiedtimehaselapsed.Thismightresultinalossofprecision.Persistentcookiesdonottimeout.

slidingExpirationSpecifieswhetherslidingexpirationisenabled.Slidingexpirationresetsanactiveauthenticationcookie'stimetoexpirationuponeachrequestduringasinglesession.

trueSpecifiesthatslidingexpirationisenabled.Theauthenticationcookieisrefreshedandthetimetoexpirationisresetonsubsequentrequestsduringasinglesession.Thedefaultforversion1.0ofASP.NETwastrue.

falseSpecifiesthatslidingexpirationisnotenabledandthecookieexpiresatasetintervalfromthetimeitwasoriginallyissued.Thedefaultisfalse.

defaultUrl

Optionalattribute.

DefinesthedefaultURLthatisusedforredirectionafterauthentication.

Thisattributeisnewinthe.NETFrameworkversion2.0.

Thedefaultis"default.aspx".

path

Optionalattribute.

Specifiesthepathforcookiesthatareissuedbytheapplication.

Thedefaultisaslash(/),becausemostbrowsersarecase-sensitiveandwillnotsendcookiesback,ifthereisapathcasemismatch.

上面的部分属性可以在IIS中进行配置

<authenticationmode="Forms">
<formsloginUrl="member_login.aspx"
cookieless="UseCookies"
path="/MyApplication"/>
</authentication>

FormsAuthentication类中的静态字段

https://stackoverflow.com/questions/879321/formsauthentication-formscookiepath

https://www.quirksmode.org/js/cookies.html

Domainandpath

Eachcookiealsohasadomainandapath.Thedomaintellsthebrowsertowhichdomainthecookieshouldbesent.Ifyoudon'tspecifyit,itbecomesthedomainofthepagethatsetsthecookie,inthecaseofthispagewww.quirksmode.org.

Pleasenotethatthepurposeofthedomainistoallowcookiestocrosssub-domains.Mycookie
willnotbereadbysearch.quirksmode.orgbecauseitsdomainiswww.quirksmode.org.WhenIsetthe
domaintoquirksmode.org,thesearchsub-domainmayalsoreadthecookie.

IcannotsetthecookiedomaintoadomainI'mnotin,Icannotmakethedomainwww.microsoft.com.
Onlyquirksmode.orgisallowed,inthiscase.

Thepathgivesyouthechancetospecifyadirectorywherethecookieisactive.
Soifyouwantthecookietobeonlysenttopagesinthedirectorycgi-bin,setthe
pathto

/cgi-bin

.Usuallythepathissetto

,whichmeansthecookieis
validthroughouttheentiredomain.

Thisscriptdoesso,sothecookiesyoucansetonthispagewillbesenttoanypageinthe
www.quirksmode.orgdomain(thoughonlythispagehasascriptthatsearchesforthe
cookiesanddoessomethingwiththem).

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path

HttpCookie

Providesatype-safewaytocreateandmanipulateindividualHTTPcookies.

TheHttpCookieclassgetsandsetspropertiesofindividualcookies.TheHttpCookieCollectionclassprovidesmethodstostore,retrieve,andmanagemultiplecookies.

ASP.NETincludestwointrinsiccookiecollections.ThecollectionaccessedthroughtheCookiescollectionoftheHttpRequestobjectcontainscookiestransmittedbytheclienttotheserverinthe

Cookie

header.ThecollectionaccessedthroughtheCookiescollectionoftheHttpResponseobjectcontainsnewcookiescreatedontheserverandtransmittedtotheclientinthe

Set-Cookie

HTTPresponseheader.

HttpCookie.Path

Getsorsetsthevirtualpathtotransmitwiththecurrentcookie.

Thevirtualpathtotransmitwiththecookie.Thedefaultis

,whichistheserverroot.

ThePathpropertyextendstheDomainpropertytocompletelydescribethespecificURLtowhichthecookieapplies.

Forexample,intheURLhttp:/www.microsoft.com/asp,thedomainiswww.microsoft.comandthepathis/asp.

HttpCookie.Domain

Getsorsetsthedomaintoassociatethecookiewith.

Thenameofthedomaintoassociatethecookiewith.Thedefaultvalueisthecurrentdomain.

Settingthe

Domain

attributelimitstransmissionofthecookietoclientsrequestingaresourcefromthatdomain.

启用windows授权的话，需要在IIS中打开，参考https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/configuring-windows-ad-authentication

sessionStateElement(ASP.NETSettingsSchema)

https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx

timeout

OptionalTimeSpanattribute.

Specifiesthenumberofminutesasessioncanbeidlebeforeitisabandoned.Thetimeoutattributecannotbesettoavaluethatisgreaterthan525,600minutes(1year)forthein-processandstate-servermodes.

ThesessiontimeoutconfigurationsettingappliesonlytoASP.NETpages.Changingthesessiontimeoutvaluedoesnotaffectthesessiontime-outforASPpages.Similarly,changingthesessiontime-outforASPpagesdoesnotaffectthesessiontime-outforASP.NETpages.

Thedefaultis20minutes.

https://msdn.microsoft.com/en-us/library/ms178581.aspx

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航