ASP. NET identity authentication record

Basic knowledge
The identity is primarily a two storage location on the client:
Cookies are commonly used
URLs rarely use URLs as an alternative to disabling cookies
form is almost no hassle, each request must be a form submission method
Authorization rarely used, header.authorization is stored in the Base64 plaintext data, unsafe, generally in the router or simple document browsing will be used

Authentication mode because it is simple and convenient

Normal login, login yourself, verify authorization
OAuth2.0, a generic authentication authorization service, is primarily provided to the app's API. This is especially the case with data access calls. such as forwarding Weibo, but this abuse is more dangerous
OpenID, the Universal authentication Service, is used to unify the login function. Web site A supports X's Opentid, you can log in at the time after the X login to have an OpenID logo, this identity A is also recognized identity, the two-party data is not universal,
SSO, Single Sign-on, unified authentication, authorized Web services. You can have data interoperability after logging in.
NET authentication mechanism
Form authentication, depending on the identity in the cookie or URL
Integrated Windows authentication for intranet (LAN), relies on IIS
Basic basic certification to save ticket information in Head.authorization, jump must be URL transmission, not automatically carry, security low
Digest Digest Authentication client and server-side contract encryption method, the transfer of one-way cryptographic information Digest, the service side also encrypted to verify
Server-side session data storage location is two kinds
Client, stored in the cookie, each request sent to the server, after parsing in the background code to use, customer traffic is large, security is low, server memory consumption is lower
Server-side, stored in server memory, high memory consumption, high security, low traffic

ASP. NET identity authentication--http://tech.it168.com/a2012/0417/1338/000001338130_all.shtml
Authentication: AuthenticateRequest event in ASP.
Constructing HttpContext.User Objects
Implemented by FormsAuthenticationModule
Authorization: AuthorizeRequest event in ASP.
Check authorization, redirect
Implemented by UrlAuthorizationModule (this moudule combines membership, etc.)
Login: Formsauthentication.setauthcookie () method, is the default setting of the login ticket method, there is only one identity, no other information
Set Cookies and Encrypt
Logoff: FormsAuthentication.SignOut () method
Clean Up Cookie Tags
Judge: request.isauthenticated judge whether to login
Check the Httpcontext.user,context. User.identity,context. User.Identity.IsAuthenticated
Expired: FormsAuthenticationTicket for Bill base class
Ticket base class expiration time, Slidingexpiration=true, will either expire the state is invalid
Cookie Expiration Time
Custom Froms Certification
1. Customize user information class Customeruser, implement IPrincipal interface
2. Build FormsAuthenticationTicket notes upon login,
Passing the Customeruser instance as data
Encrypted string, Formsauthentication.encrypt (ticket)
Create a cookie, name =formsauthentication.formscookiename,
Write Cookie
Adding event handling in 3.global.asax
Application_AuthenticateRequest Events
Remove, decrypt, and construct Context.User objects
Multiple servers using form authentication
The default is that the local security authority is native-generated with the secret key
Multiple common needs configuration key
<machinekey decryption= "Auto" [Auto | DES | 3DES | AES] decryptionkey= "Autogenerate,isolateapps"/>
Decryption unencrypted algorithm
MVC's form validation is consistent, but authorization is generally no longer used, instead filtering attribute identification

ASP. NET identity authentication record