2. Tech
  3. ASP.NET Based on Form Verification Implementation Online Security Access, Management

ASP.NET Based on Form Verification Implementation Online Security Access, Management

xiaoxiao2021-03-06  73

I recently read the "ASP.NET Security Advanced Programming", which involved Forms-based verification, found that they have a lot of misunderstandings, so they decided to "ASP.NET's form-based verification to implement online security access, management" And corrections.

The file directory is:

Bin admin-index.aspx - test.aspx - * .Asspx - web.config // admin on the web.config login.aspx web.config // root directory under the web.config // Admin File

(-) Take a look at the important way for FormSauthentication and attributes (more Search MSDN)

FormScookiename Returns the configured cookie name for the current application. GetAuthCookie creates authentication cookies for a given username. This will not set the cookie to a part of the response, so the application has more control permissions on how the cookie is emitted. Authenticate gives the credentials provided, attempts to verify the credentials based on the credentials included in the configured credential storage area. GetirectURL returns a redirect URL that causes the original request to redirect to the login page. HashPasswordforstoringInfigfile gives a password and string that identifies the hash type, which generates a hash secret code that is suitable for stored in the configuration file. RedirectFromLoginPage redirects the user of the verified identity back to the original request URL. {========= Remarks the RedirectFromLoginPage method to redirect to the returned URL key specified in the query string. For example, in URL http://www.contoso.com/login.aspx?returnURL =caller.aspx, Caller.aspx is the Return URL redirected to RedirectFromLoginPage. If the return button does not exist, RedirectFromLogInPage will redirect to Default.aspx. =========} SetAuthCookie Create a collection of authentication tickets and attach it to the Cookie's outgoing response. It does not perform redirection. Signout removes the authentication ticket.

(2) Let's completely understand how the page is verified step by step.

Once again, our verification is: Admin folder is an administrator for the "zone" of the background management. Only after logging in to log in with login.aspx, you can access all pages in the Admin folder, all, we must fill in Login.aspx The form is to verify that the user is an administrator.

(1) Suppose we set up a connection

See Web.config in the admin folder

<

CONFIGURATION

>

<

SYSTEM

.web

>

<

Authorization

>

<

Deny

Users

= "?"

/>

Authorization

>

System.Web

>

CONFIGURATION

>

There is a , That is, the anonymous user without verification is absolutely banned from accessing this folder -Admin. So, if an anonymous user is really doing this (try to connect the page in the Admin folder) What? Haha, will be directed to the login.aspx page, look at the root directory Web.config

<

CONFIGURATION

>

<

SYSTEM

.web

>

<

Authentication

Mode

= "Forms"

>

<

Forms

Name

= "MyCookiename"

Loginurl

= "Login.aspx"

PROTECTION

= "All"

TIMEOUT

= "30"

>

Forms

>

Authentication

>

<

Authorization

>

<

Allow

Users

= "*"

/>

Authorization

>

System.Web

>

CONFIGURATION

>

The root directory web.config sets the verification mode, as well as the corresponding processing. to set the verification mode mode = "forms"; Did you see LoginURL = "Login.aspx"? That is, if an anonymous user tries to connect to the protected page (Admin Folder), orient to login.aspx, come Let this anonymous user log in!

(2) We clicked the "administrator landing" link and came to login.aspx. You will find that the URL address is actually: login.asxp? ReturnURL = admin / index.asp (actually the page we requested ), If we pass verified in login.asxp, then the page will automatically jump to that returntric.

Take a look at Login.Axp:

<

ASP: TEXTBOX

id

= TextName

Runat

= Server /> account

= TextPassword

Runat

= Server> password

= MyCheckbox

Runat

= Server /> Whether to remember the password, permanently login

= Server

Onclick

= btnloginclick

TEXT

= Landing />

Handling event 1 (when the user clicks the login button)

Void

BtnloginClick (Object Sender, Eventargs E)

{IF (User Validation) // This can be placed on the bin directory to verify the user, return a BOOL. {Formsauthentication.RedirectFromLoginPage (username.text, mycheckbox.checked);}

1. Formsauthentication.redirectFromLoginPage (username.text, mycheckbox.checked); -> Set a verification cookie indicating that the user has passed the verification .-> Return to the page you just request (admin / index.aspx); 2, this sentence is equivalent to these two sentences: FormsAuthentication.SetAuthCookie (UserName.Text, mycheckbox.Checked); Response.Redirect (FormsAuthentication.GetRedirectUrl (UserName.Text, mycheckbox.Checked); 3, if mycheckboxt control is already selected, then, write Enter cookie, save 50 years, of course, we can change this time: handling event 1 (when the user clicks the login button) Void

BtnloginClick (Object Sender, Eventargs E)

{If (user authentication) // This file can be placed in their dll bin directory to authenticate the user, a return bool {HttpCookie authenticationCookie = FormsAuthentication.GetAuthcookie (UserName.Text, mycheckbox.Checked);. AuthenticationCookie.Expires = DateTime .Now.adddays (3); // 3 days response.cookies.add (automationCookie); response.redirect (formsauthentication.getredirectURL (username.text, mycheckbox.checked);}

4, there is a bug, I don't know why, let's: handle event 1 (when the user clicks the login button)

Void

BtnloginClick (Object Sender, Eventargs E)

{IF (User Validation) // This point can be placed on the bin directory to verify the user, return a BOOL. {Formsauthentication.RedirectFromLoginPage (username.text, mycheckbox.checked); response.Redirect ("http: / / www.quickrespondresponser.com ");}}

What should I do? According to reason, Formsauthentication.RedirectFromLoginPage (username.text, mycheckbox.checked); then jump to the requested page admin / index.aspx. However, I am in the actual test process, discovery the page executes response.Redirect ("http://www.quickrespondresponser.com"); OH, MYGOD !!!!, depressed (Who gave me a correct explanation? QQ: 15422225 mail: root@3ney.com); 5, our link Don't involve direct connections to login.aspx, why? Suppose we log in directly to login.asxp, then this URL does not have parameter returnurl, but default is default.ASPX (or index.axp ....), when the administrator passes When verifying, the page is not directly jumping to the default page of the root directory Index.aspx. (If you are directly connected, it is also possible, using the above bug solution)

转载请注明原文地址:https://www.9cbs.com/read-92806.html

9cbs

New Post(0)