ASP. NET Form Verification

Source: Internet
Author: User
Tags cookie names send cookies

I. ASP. NET Security Authentication Mode
Windows, forms, passport, none

Ii. Modify the Verification Mode
Modify web. config <system. Web>

<! -- Modify the Authentication Mode to forms -->
<Authentication mode = "forms">
<Forms loginurl = "~ /Login. aspx "name =" your user "defaulturl =" default. aspx "> </Forms>
</Authentication>
<! -- Disable anonymous logon -->
<Authorization>
<Deny users = "? "/>
</Authorization>

3. log in and issue an authentication ticket
Formsauthentication. formscookiename ~ Is the preceding Login User

// Return to the request page after successful login
A: system. Web. Security. formsauthentication. redirectfromloginpage (formsauthentication. formscookiename, false );

// Send a verification ticket to the specified page
B: system. Web. Security. formsauthentication. setauthcookie (formsauthentication. formscookiename, false );
Response. Redirect ("default. aspx ");

Iv. User logout
System. Web. Security. formsauthentication. signout ();

V. Whether the user has passed verification
User. Identity. isauthenticated // If the verification is successful or a cookie exists, the value is true; otherwise, the value is false.

Vi. Scope of Web. config
0: the setting of machine. config applies to all directories of the entire machine and all files under the directory. -->
1: Web. config settings apply to all files in the directory and all files in its subdirectories. --> sub-files with parent names
2: The Web. config settings under the subdirectory will overwrite the settings inherited by the parent directory --> it will be out, and the military will not be affected.

7. Set access permissions for a folder or file
1: create a web. config file in the corresponding folder
<Authorization>
<Deny users = "? "/> // Set the access permission here
</Authorization>

2: Set access permissions for all folders and folders of the entire site under the root directory web. config

<Configuration>
// Directory folder 1
<Location Path = "public"> // <Location Path = "Public/default. aspx"> Configure access for a file
<System. Web>
<Authorization>
<Allow users = "*"/>
</Authorization>
</System. Web>
</Location>

// Directory folder 2
<Location Path = "managesys">
<System. Web>
<Authorization>
<Allow users = "admin"/>
<Allow users = "WF"/>
<Allow users = "fy"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Location>

// Configure web. config in the original root directory
<System. Web>
<Authentication mode = "forms">
<Forms loginurl = "~ /Login. aspx "name =" your user "defaulturl =" default. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>
</Configuration>

8. Single Sign-on
1: Get the machine key to generate the key

<Key generation method>
Protected void btn_ OK _click (Object sender, eventargs E)
{
String decstr = This. createkeystring (Int. parse (this. textbox1.text ));
String valstr = This. createkeystring (Int. parse (this. textbox2.text ));
This. textbox3.text = string. format ("<machinekey validationkey = \" {0} \ "decryptionkey = \" {1} \ "validation = \" sha1 \ "/>", valstr, decstr );
}
/// <Summary>
/// Generate a strong random key value of the encryption type
/// </Summary>
/// <Param name = "I"> valid key length:
/// The valid value of decryptionkey is 8 or 24;
/// The valid value of validationkay is 20 to 64.
/// </Param>
Private string createkeystring (int I)
{
System. Security. cryptography. rngcryptoserviceprovider RNG = new system. Security. cryptography. rngcryptoserviceprovider (); // cipher random number generator
Byte [] bt = new byte [I];
RNG. getbytes (BT); // fill in the byte array with the encrypted strong random value sequence
System. Text. stringbuilder STR = new system. Text. stringbuilder ();
For (Int J = 0; j <I; j ++)
{
Str. append (string. Format ("{0: X2}", BT [J]); // converts the string to hexadecimal text in uppercase.
}
Return Str. tostring ();
}
2: Add a key to the project root web. config for single-point login;

A) The <machinekey> node of the web. cinfig project ensures that the following fields are identical: validationkey, decryptionkey, and validation.
B) the cookie names of the two projects must be the same, that is, the name attribute in <forms>. Here we will unify it into name = "userlogin" // name = "www.wf.com"
C) be case sensitive.
D) integrate the login page to a unified login site, for example, loginurl = "www.wf.com/login.aspx", and issue a verification ticket on the login page.

// Project Website 1
<System. Web>
<Machinekey validationkey = "encrypt" decryptionkey = "9ebaa26a9e9424994ce2c0a4c0ea5b20" validation = "sha1"/>
<Authentication mode = "forms">
<Forms name = "userlogin" loginurl = "~ /Login. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>

// Project website 2
<System. Web>
<Machinekey validationkey = "encrypt" decryptionkey = "9ebaa26a9e9424994ce2c0a4c0ea5b20" validation = "sha1"/>
<Authentication mode = "forms">
<Forms name = "userlogin" loginurl = "~ /Login. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>

3. Send cookies to users
<1>: After one login, each site is granted cookie authentication.
<2>: After one login, Cookie authentication is selectively issued based on the user.

9. Cookie
1: Common cookie
Protected void button#click (Object sender, eventargs E)
{
Httpcookie ck = new httpcookie ("str ");
CK. expires. adddays (1 );
CK ["RR"] = "str_rr _";
CK ["W1"] = "str_w1 _";
Response. Cookies. Add (CK );

Httpcookie cknex = new httpcookie ("NEX ");
CK. expires. adddays (1 );
CK. value = "NEX _";
Response. Cookies. Add (cknex );
}
Protected void button2_click (Object sender, eventargs E)
{
Textbox1.text = request. Cookies ["str"] ["W1"]. tostring () + request. Cookies ["str"] ["RR"]. tostring ();
}

2: generate user-verified cookies
Public void authenticationusers (string username)
{
Formsauthenticationticket tichet = new formsauthenticationticket (1, username, datetime. Now, datetime. Now. addhours (24), true ,"");
String hashtichet = formsauthentication. Encrypt (tichet );

Httpcookie usercookie = new httpcookie (formsauthentication. formscookiename );
Usercookie. value = hashtichet;
Usercookie. expires = tichet. expiration;
Usercookie. Domain = formsauthentication. cookiedomain;
Httpcontext. Current. response. Cookies. Add (usercookie );
}

This cookie is equivalent to the following two cookies.

// Return to the request page after successful login
A: system. Web. Security. formsauthentication. redirectfromloginpage (formsauthentication. formscookiename, false );
// Send a verification ticket to the specified page
B: system. Web. Security. formsauthentication. setauthcookie (formsauthentication. formscookiename, false );

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.