Forms 验证
webconfig中配置----------------------
<authentication mode="Forms">
2 <forms
3 protection="All"
4 timeout="20"
5 name=".XDOTNET"
6 loginUrl="SignIn.aspx"
7 defaultUrl="Default.aspx"
8 path="/"
9 requireSSL="false"
10 enableCrossAppRedirects="false"
11 >
12 </forms>
13 </authentication>
----验证用户是否登录成功---------------------
public static bool ValidUser(string userName, string password)
2 {
3 if (!string.IsNullOrEmpty(userName) && !string.IsNullOrEmpty(password))
4 {
5 password = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "MD5");
6 string realPassword = Users.GetUser(userName).Password;
7 if (string.Compare(password, realPassword, true) == 0)
8 {
9 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
10 userName,
11 DateTime.Now,
12 DateTime.Now.AddMinutes(20),
13 false,
14 null//可以将Roles按","分割成字符串,写入cookie
15 );
16 string data = FormsAuthentication.Encrypt(ticket);
17 HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, data);
18 cookie.Path = FormsAuthentication.FormsCookiePath;
19 cookie.Domain = FormsAuthentication.CookieDomain;
20 cookie.Expires = ticket.Expiration;
21 HttpContext.Current.Response.Cookies.Add(cookie);
22 return true;
23 }
24 }
25 return false;
26 }
---------------------要把用户加入到Http上下文HttpContext的当前请求的User对象中,代码如下:---------
FormsIdentity identity = new FormsIdentity(ticket);
2 GenericPrincipal user = new GenericPrincipal(identity, new string[] { });
3 HttpContext.Current.User = user
--------------是否通过了验证
HttpContext.Current.User.Identity.IsAuthenticated
from 安全方面---------------
配置forms验证:
Name:验证cookie的名字,不能冲突,要唯一,不要用默认的“.ASPXAUTH”。
Protection:应该一直用ALL,保证安全和完整性。
Timeout:,默认30分,slidingExpiration设置为“true”时,从上次请求开始算起,自动更新验证超时时间,不要设置cookie为persistent,持久的cookie没有超时限制。
Path:不要用默认的“/”,并且区分大小写。通过限制路径可以减少跨站点攻击风险。
Requiressl:默认为false,为了安全应该设置为true,这样才能保证cookie的传输是安全的,是防止cookie劫持的唯一方式。
Credentials的passwordFormat不要用Clear
