ASP. NET Form Verification

Last Update:2018-12-07 Source: Internet

Author: User

Tags cookie names send cookies

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I. ASP. NET Security Authentication Mode
Windows, forms, passport, none

Ii. Modify the Verification Mode
Modify web. config <system. Web>

<! -- Modify the Authentication Mode to forms -->
<Authentication mode = "forms">
<Forms loginurl = "~ /Login. aspx "name =" your user "defaulturl =" default. aspx "> </Forms>
</Authentication>
<! -- Disable anonymous logon -->
<Authorization>
<Deny users = "? "/>
</Authorization>

3. log in and issue an authentication ticket
Formsauthentication. formscookiename ~ Is the preceding Login User

// Return to the request page after successful login
A: system. Web. Security. formsauthentication. redirectfromloginpage (formsauthentication. formscookiename, false );

// Send a verification ticket to the specified page
B: system. Web. Security. formsauthentication. setauthcookie (formsauthentication. formscookiename, false );
Response. Redirect ("default. aspx ");

Iv. User logout
System. Web. Security. formsauthentication. signout ();

V. Whether the user has passed verification
User. Identity. isauthenticated // If the verification is successful or a cookie exists, the value is true; otherwise, the value is false.

Vi. Scope of Web. config
0: the setting of machine. config applies to all directories of the entire machine and all files under the directory. -->
1: Web. config settings apply to all files in the directory and all files in its subdirectories. --> sub-files with parent names
2: The Web. config settings under the subdirectory will overwrite the settings inherited by the parent directory --> it will be out, and the military will not be affected.

7. Set access permissions for a folder or file
1: create a web. config file in the corresponding folder
<Authorization>
<Deny users = "? "/> // Set the access permission here
</Authorization>

2: Set access permissions for all folders and folders of the entire site under the root directory web. config

<Configuration>
// Directory folder 1
<Location Path = "public"> // <Location Path = "Public/default. aspx"> Configure access for a file
<System. Web>
<Authorization>
<Allow users = "*"/>
</Authorization>
</System. Web>
</Location>

// Directory folder 2
<Location Path = "managesys">
<System. Web>
<Authorization>
<Allow users = "admin"/>
<Allow users = "WF"/>
<Allow users = "fy"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Location>

// Configure web. config in the original root directory
<System. Web>
<Authentication mode = "forms">
<Forms loginurl = "~ /Login. aspx "name =" your user "defaulturl =" default. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>
</Configuration>

8. Single Sign-on
1: Get the machine key to generate the key

<Key generation method>
Protected void btn_ OK _click (Object sender, eventargs E)
{
String decstr = This. createkeystring (Int. parse (this. textbox1.text ));
String valstr = This. createkeystring (Int. parse (this. textbox2.text ));
This. textbox3.text = string. format ("<machinekey validationkey = \" {0} \ "decryptionkey = \" {1} \ "validation = \" sha1 \ "/>", valstr, decstr );
}
/// <Summary>
/// Generate a strong random key value of the encryption type
/// </Summary>
/// <Param name = "I"> valid key length:
/// The valid value of decryptionkey is 8 or 24;
/// The valid value of validationkay is 20 to 64.
/// </Param>
Private string createkeystring (int I)
{
System. Security. cryptography. rngcryptoserviceprovider RNG = new system. Security. cryptography. rngcryptoserviceprovider (); // cipher random number generator
Byte [] bt = new byte [I];
RNG. getbytes (BT); // fill in the byte array with the encrypted strong random value sequence
System. Text. stringbuilder STR = new system. Text. stringbuilder ();
For (Int J = 0; j <I; j ++)
{
Str. append (string. Format ("{0: X2}", BT [J]); // converts the string to hexadecimal text in uppercase.
}
Return Str. tostring ();
}
2: Add a key to the project root web. config for single-point login;

A) The <machinekey> node of the web. cinfig project ensures that the following fields are identical: validationkey, decryptionkey, and validation.
B) the cookie names of the two projects must be the same, that is, the name attribute in <forms>. Here we will unify it into name = "userlogin" // name = "www.wf.com"
C) be case sensitive.
D) integrate the login page to a unified login site, for example, loginurl = "www.wf.com/login.aspx", and issue a verification ticket on the login page.

// Project Website 1
<System. Web>
<Machinekey validationkey = "encrypt" decryptionkey = "9ebaa26a9e9424994ce2c0a4c0ea5b20" validation = "sha1"/>
<Authentication mode = "forms">
<Forms name = "userlogin" loginurl = "~ /Login. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>

// Project website 2
<System. Web>
<Machinekey validationkey = "encrypt" decryptionkey = "9ebaa26a9e9424994ce2c0a4c0ea5b20" validation = "sha1"/>
<Authentication mode = "forms">
<Forms name = "userlogin" loginurl = "~ /Login. aspx "> </Forms>
</Authentication>
<Authorization>
<Deny users = "? "/>
</Authorization>
</System. Web>

3. Send cookies to users
<1>: After one login, each site is granted cookie authentication.
<2>: After one login, Cookie authentication is selectively issued based on the user.

9. Cookie
1: Common cookie
Protected void button#click (Object sender, eventargs E)
{
Httpcookie ck = new httpcookie ("str ");
CK. expires. adddays (1 );
CK ["RR"] = "str_rr _";
CK ["W1"] = "str_w1 _";
Response. Cookies. Add (CK );

Httpcookie cknex = new httpcookie ("NEX ");
CK. expires. adddays (1 );
CK. value = "NEX _";
Response. Cookies. Add (cknex );
}
Protected void button2_click (Object sender, eventargs E)
{
Textbox1.text = request. Cookies ["str"] ["W1"]. tostring () + request. Cookies ["str"] ["RR"]. tostring ();
}

2: generate user-verified cookies
Public void authenticationusers (string username)
{
Formsauthenticationticket tichet = new formsauthenticationticket (1, username, datetime. Now, datetime. Now. addhours (24), true ,"");
String hashtichet = formsauthentication. Encrypt (tichet );

Httpcookie usercookie = new httpcookie (formsauthentication. formscookiename );
Usercookie. value = hashtichet;
Usercookie. expires = tichet. expiration;
Usercookie. Domain = formsauthentication. cookiedomain;
Httpcontext. Current. response. Cookies. Add (usercookie );
}

This cookie is equivalent to the following two cookies.

// Return to the request page after successful login
A: system. Web. Security. formsauthentication. redirectfromloginpage (formsauthentication. formscookiename, false );
// Send a verification ticket to the specified page
B: system. Web. Security. formsauthentication. setauthcookie (formsauthentication. formscookiename, false );

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More