Implementation of the identity authentication ticket-based Permission System

The general authentication process is performed by the user table. A permission table, a user permission table, a role table, and a role permission table. The table structure is generally as follows:

When a user logs on. Verify that the user name and password in the User table are consistent with those entered. If they are consistent, the logon is successful. Change the user name orIDSave inSessionWhen you need to determine a permission, check whether a user exists in the user permission table.IDAnd permission tableID. Sometimes this user has this permission. Otherwise, the user's role is taken out to check whether the user's role group has the permission to perform this operation. If no, retrieve the role's parent from the role's parent-child relationship table until there is no parent role. If you do not have the permission at the end, the user does not have the permission.

This traditional authentication method requires countless queries from this database for each authentication. Even if it is written as a stored procedure, the efficiency is quite low. You can cope with simple websites or applications. For large websites, this identity authentication method will make the database a bottleneck for website speed.

In the Identity Authentication System I will mention, the database structure is designed as follows:

In this structure, use the user permission column of the account tableBinaryType. Each digit represents a permission. Permission tableIDCorresponding to thisBinary. In this way, each byte can represent8Permission. BecauseBinarySupported8 KBit Length. Therefore8 K * 8To meet various needs. For ease of use, a permission can also be expressed in one byte. Although only supported8 KPermissions, but also satisfied with various requirements.

When a user logs on, the user permissions are encrypted and stored to the user according to the user name and password in the User table.CookieOr hide the domain. UsedWinformProgramAnd can also be stored in static variables of the class. Permission verification is required. Retrieve from the tableID, Which is compared with the bit in the user permission. If both are1Indicates that the user has permissions. In this way, only one database interaction is required to determine whether the user has this permission. In this way, the database pressure will be greatly mitigated.

The preceding role table, user role table, and role parent-child relationship table are only used for authorization. Grant permissions to users, cancel permissions, and Manage Roles. After performing operations on these tables, the user permissions are stored in the User table.

If you load the role table to the memory at system startup1The sub-database interaction can be used to determine the permissions. Of course.AlgorithmThere are also disadvantages, such as saving user permissions to usersCookieIf the user does not log on again, the new permissions will not work. However, even if the data is retrieved from the data table every time. There are only two database interactions. The two depend on actual needs.

Some may question the efficiency of binary operations. In fact, binary operations are much faster than string operations. As you can imagine32Only4Bytes. The method of determining permissions is usually used. At least32INTEGER (32*4 = 128Bytes.

Careful readers may find out. I didn't mention putting the permission information inSession. The algorithm I mentioned is used by me.. NetUsed during development.. NetWhen updating a program, it is easy to cause the application to restart. UnlessSessionUseSQL ServerOrSession ServerWhen the application restartsSessionWill be lost, and the user experience is very poor.. NetThe authentication ticket is encrypted and savedCookieAlthough there are some risks, I believe that. NET Framework 2.0With the continuous efforts of Microsoft, security is sufficient.

I will release a. Net instance later.CodeFor your reference. We also hope that you will provide valuable comments.