ASP. NET forms-based authentication mechanism-Role authorization

The process of building a forms-based authentication mechanism is as follows:
1. Set IIS to anonymous access and set form verification in Asp.net web. config.
2. retrieve the data storage to verify the user and retrieve the role (if not based on the role, do not use it)

Simple role-free mode:

Use formsauthenticationticket to create a cookie and send it back to the client, and store the role in the ticket, for example:
Formsauthentication. setauthcookie (username, true | false)
Cookie Retention Time:
Httpcontext. Current. response. Cookies [formsauthentication. formscookiename]. expires = datetime. Now. adddays (1)

To store roles:

2. Formsauthenticationticket authticket =New
4. Formsauthenticationticket (
6. 1,// Version
8. Txtusername. Text,// User Name
10. Datetime. Now,// Creation
12. Datetime. Now. addminutes (20 ),// Expiration
14.  False,// Persistent
16. Roles );// User data
18. // Roles is a role String Array
20.  StringEncryptedticket = formsauthentication. Encrypt (authticket );// Encryption

 
Formsauthenticationticket authticket = newformsauthenticationticket (1, // versiontxtusername. text, // user namedatetime. now, // creationdatetime. now. addminutes (20), // expirationfalse, // persistentroles); // user data // roles is a role String Array string encryptedticket = formsauthentication. encrypt (authticket); // Encryption
 

Store Cookie

1. Httpcookie authcookie =
2. NewHttpcookie (formsauthentication. formscookiename,
3. Encryptedticket );
5. Response. Cookies. Add (authcookie );

 
Httpcookie authcookie = new httpcookie (formsauthentication. formscookiename, encryptedticket); response. Cookies. Add (authcookie );
 

Process in application_authenticaterequest eventProgramIn (Global. asax), use the ticket to create the iprincipal object and the object exists in httpcontext. User.Code:

2. Protected VoidApplication_authorizerequest (ObjectSender, system. eventargs E)
4. {
6. Httpapplication APP = (httpapplication) sender;
8. Httpcontext CTX = app. context;// Obtain the httpcontext object related to this HTTP Request
10.  If(CTX. Request. isauthenticated =True)// A verified user can process the role.
12. {
14. Formsidentity id = (formsidentity) CTX. User. identity;
16. Formsauthenticationticket ticket = ID. ticket;// Obtain the authentication ticket
18.  String[] Roles = ticket. userdata. Split (',');// Convert the role data in the authentication ticket to a String Array
20. CTX. User =NewGenericprincipal (ID, roles );// Add the original identity with the role information to create a genericprincipal to indicate the current user, so that the current user has the role information
22. }
24. }

 
Protected voidPostauthenticaterequest(Object sender, eventargs E)
{Httpapplication APP = (httpapplication) sender; httpcontext CTX = app. context; // obtain the httpcontext object related to this HTTP request if (CTX. request. isauthenticated = true) // The authenticated user performs role processing {formsidentity id = (formsidentity) CTX. user. identity; formsauthenticationticket ticket = ID. ticket; // get the authentication ticket string [] roles = ticket. userdata. split (','); // convert the role data in the authentication ticket to a string array CTX. user = new genericprincipal (ID, roles); // Add the original identity with the role information to create a genericprincipal to indicate the current user, so that the current user has the role information }}
 

There are two ways to control roles on some pages:
1. Add in Web. config

1. "editpost. aspx " >
4. "rolename" />
5. "? " />

<Location Path = "editpost. aspx"> <system. Web> <authorization> <allow roles = "rolename"/> <deny users = "? "/> </Authorization> </system. Web> </location>
 

2. Place files accessible only by some roles in the same directory and add a web. config

4. "rolename" />
5. "*" />

<Configuration> <system. web> <authorization> <allow roles = "rolename"/> <deny users = "*"/> </authorization> </system. web> </configuration>
 

Note: The Web. config setting of sub-directories takes precedence over the web. config setting of the parent directory.

Forms authentication, Why can't all users enter after <allow roles = "Administrators"/> <deny users = "*"/>?

It is wrong to put the authorization code in application_authorizerequest! Due to many problemsArticleThey are all references, so it is very good for programmers to be killed. They should be put in the following event.

Void application_postauthenticaterequest (Object sender, eventargs E)
{
Httpapplication APP = (httpapplication) sender;
Httpcontext CTX = app. Context; // obtain the httpcontext object related to this HTTP Request
If (CTX. Request. isauthenticated) // The authenticated user can process the role.
{
Formsidentity id = CTX. User. Identity as formsidentity;
Formsauthenticationticket ticket = ID. Ticket; // get the authentication ticket
String [] roles = ticket. userdata. Split (','); // convert the role data in the ticket to a String Array
CTX. user = new system. security. principal. genericprincipal (ID, roles); // Add the original identity with the role information to create a genericprincipal to indicate the current user, so that the current user has the role information
}
}

Please refer to: http://community.csdn.net/Expert/TopicView3.asp? Id = 5526963