在哪里读取 Forms 身份验证 cookie?
Where to read Forms authentication cookie?
我在一个项目中实现了Forms认证。在表单身份验证 cookie 中,我存储了用户的登录 ID。即
FormsAuthentication.SetAuthCookie(LoginId, false);
我现在需要读取每个请求的 cookie 值以获取有关用户的更多信息并将此信息放入 HttpContext.Items 属性。该项目是一个 MVC 项目,具有常规 MVC 控制器和 Web API 控制器。目前我已经创建了两个动作过滤器 - 一个用于 MVC 控制器,另一个用于我读取此值的 Web API 控制器。好喜欢
public class MyMvcFilter : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null)
{
var ticket = FormsAuthentication.Decrypt(cookie.Value);
filterContext.HttpContext.Items.Add("LoginId",ticket.Name);
}
base.OnAuthorization(filterContext);
}
}
和
public class MyFilter : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie == null)
{
return;
}
var ticket = FormsAuthentication.Decrypt(cookie.Value);
if (ticket == null)
{
return;
}
actionContext.Request.Properties.Add("LoginId", userId);
}
}
然而,我越想它,就越觉得它像一个丑陋的 hack。我可以解密身份验证 cookie 并且对于 MVC 控制器和 Web API 控制器保持相同的正确位置是什么?
MVC 和 WebAPI(直到 .NET Core)不共享相同的管道,因此您需要使用两个不同的过滤器。
您可以做的是共享代码,如果您愿意,可以使用实用方法或其他方式。只是为了避免两个代码做同样的事情
我会:
读取
上的 cookie
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
}
在上述方法中....将 cookie 转换为 ClaimsPrincipal。
像下面这样:
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
IList<Claim> claimCollection = new List<Claim>
{
new Claim("http://www.mycompany.com/claims/LoginId, "123456" /* use info from cookie instead of 123456*/)
};
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection, "My e-commerce website");
Console.WriteLine(claimsIdentity.IsAuthenticated);
ClaimsPrincipal customPrinc = new ClaimsPrincipal(claimsIdentity);
if (null != customPrinc)
{
Thread.CurrentPrincipal = customPrinc; /* Set here. But when you need to "get" it, use "System.Security.Claims.ClaimsPrincipal.Current" */
/* ASP.NET Authorization depends on value of HttpContext.Current.User.
* Consider putting ClaimsPrincipal into both HttpContext.Current.User and Thread.CurrentPrincipal */
HttpContext.Current.User = customPrinc;
/* Note the second setter is necessary so you don't lose it later on, learned the hard way by experience */
}
}
根据需要检索声明主体..
/* MVC */
public override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
{
/* the below should be what you set in the Application_PostAuthenticateRequest method */
IPrincipal currentClaimsPrinc = ClaimsPrincipal.Current;
}
/* WebAPI */
public override void OnAuthorization(HttpActionContext actionContext)
{
IPrincipal claimsPrincCurrent = ClaimsPrincipal.Current;
}
您也可以这样做:
adding claims to forms authentication in asp.net
或者这个:
或者这个:
我在一个项目中实现了Forms认证。在表单身份验证 cookie 中,我存储了用户的登录 ID。即
FormsAuthentication.SetAuthCookie(LoginId, false);
我现在需要读取每个请求的 cookie 值以获取有关用户的更多信息并将此信息放入 HttpContext.Items 属性。该项目是一个 MVC 项目,具有常规 MVC 控制器和 Web API 控制器。目前我已经创建了两个动作过滤器 - 一个用于 MVC 控制器,另一个用于我读取此值的 Web API 控制器。好喜欢
public class MyMvcFilter : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null)
{
var ticket = FormsAuthentication.Decrypt(cookie.Value);
filterContext.HttpContext.Items.Add("LoginId",ticket.Name);
}
base.OnAuthorization(filterContext);
}
}
和
public class MyFilter : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie == null)
{
return;
}
var ticket = FormsAuthentication.Decrypt(cookie.Value);
if (ticket == null)
{
return;
}
actionContext.Request.Properties.Add("LoginId", userId);
}
}
然而,我越想它,就越觉得它像一个丑陋的 hack。我可以解密身份验证 cookie 并且对于 MVC 控制器和 Web API 控制器保持相同的正确位置是什么?
MVC 和 WebAPI(直到 .NET Core)不共享相同的管道,因此您需要使用两个不同的过滤器。
您可以做的是共享代码,如果您愿意,可以使用实用方法或其他方式。只是为了避免两个代码做同样的事情
我会:
读取
上的 cookieprotected void Application_PostAuthenticateRequest(object sender, EventArgs e) { }在上述方法中....将 cookie 转换为 ClaimsPrincipal。 像下面这样:
protected void Application_PostAuthenticateRequest(object sender, EventArgs e) { IList<Claim> claimCollection = new List<Claim> { new Claim("http://www.mycompany.com/claims/LoginId, "123456" /* use info from cookie instead of 123456*/) }; ClaimsIdentity claimsIdentity = new ClaimsIdentity(claimCollection, "My e-commerce website"); Console.WriteLine(claimsIdentity.IsAuthenticated); ClaimsPrincipal customPrinc = new ClaimsPrincipal(claimsIdentity); if (null != customPrinc) { Thread.CurrentPrincipal = customPrinc; /* Set here. But when you need to "get" it, use "System.Security.Claims.ClaimsPrincipal.Current" */ /* ASP.NET Authorization depends on value of HttpContext.Current.User. * Consider putting ClaimsPrincipal into both HttpContext.Current.User and Thread.CurrentPrincipal */ HttpContext.Current.User = customPrinc; /* Note the second setter is necessary so you don't lose it later on, learned the hard way by experience */ } }
根据需要检索声明主体..
/* MVC */
public override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
{
/* the below should be what you set in the Application_PostAuthenticateRequest method */
IPrincipal currentClaimsPrinc = ClaimsPrincipal.Current;
}
/* WebAPI */
public override void OnAuthorization(HttpActionContext actionContext)
{
IPrincipal claimsPrincCurrent = ClaimsPrincipal.Current;
}
您也可以这样做:
adding claims to forms authentication in asp.net
或者这个:
或者这个: