ASP. NET Forms Verification

ASP. NET Forms authentication. The following describes the detailed authorization process:

1). Once a user accesses this website, the user can log on and confirm the identity, and the cookie of the authentication ticket is also written to the client. Then, the user applies for the web page again, and the cookie of the authentication ticket will be sent to the server. On the server side, ASP. NET assigns an HttpApplication object for each http request to process the request. after the AuthenticateRequest event, the security module has established a user identity, that is, the identity of this user has been established on the web end, and this identity is completely created by the cookie of the authentication ticket sent by the client.

2). The User identity is in the HttpContext. User attribute. On the Page, you can use Page. Context to obtain the HttpContext object related to the Page. For Forms verification, HttpContext. the User attribute is a GenericPrincipal type object. GenericPrincipal has only one public attribute Identity, which has a private m_role attribute, which is of the string [] type and stores the array of role to which the User belongs, there is also a public method IsInRole (string role) to determine whether the user belongs to a role.
Because the role attribute is not provided in the cookie of the authentication ticket, that is, the Forms authentication ticket does not provide the role information of this user, for Forms authentication, the m_role attribute of the GenericPrincipal user object obtained on the server is always empty.

3 ). genericPrincipal. the Identity attribute is a FormsIdentity object. This object has a Name attribute, which is the identifier of this user. Access Authorization uses this attribute as the user for authorization verification. FormsIdentity also has a Ticket attribute, which is the FormsAuthenticationTicket type of authentication Ticket, that is, the authentication Ticket that the server previously wrote to the client.
After obtaining the authentication ticket FormsAuthenticationTicket object, the server checks whether the authentication ticket is non-persistent authentication. in config, the timeout attribute sets the validity period to update the cookie of the authentication ticket. To avoid compromising performance, the Cookie is updated after more than half of the specified time. This may cause a loss of accuracy. Persistent Cookie does not time out .)

4) before the HttpApplication. ResolveRequestCache event, ASP. NET starts to obtain the page of the user request and establish the HttpHandler control point. This means that in HttpApplication. the ResolveRequestCache event verifies the user's access permissions to check whether the user or role has the permission to access this page, it makes no sense to change the identity or role of the user within the lifecycle of the request.

The above is the process of ASP. NET Forms authentication. We can see that this ASP. NET Forms authentication is user-based and does not provide direct support for role authentication. The Name attribute in the authentication ticket FormsAuthenticationTicket is the user ID. In fact, there is also the UserData attribute, which can be written to custom data by the application, we can use this field to store role information for role-based authentication.

 
 

  
  
Privatevoidbutton#click (objectsender, System. EventArgse)
  
  
{
  
  
// The object class AdminUserVO corresponds to the AdminUser User table.
  
  
AdminUserVOadminUserVO=NewAdminUserVO();
  
  
 
  
  
AdminUserVO. Uname=UserName. Text. Trim ();
  
  
AdminUserVO. Upwd=UserPwd. Text. Trim ();
  
  
AdminUserVO. LastIP=HttpContext. Current. Request. UserHostAddress;
  
  
AdminUserVO. LastTime=DateTime. Now;
  
  
 
  
  
Boolflag= (NewLoginDAO (). Chk (adminUserVO );
  
  
 
  
  
If (flag)
  
  
{
  
  
// This statement can be used for non-role authentication:
  
  
// System. Web. Security. FormsAuthentication. SetAuthCookie (UserName. Text. Trim (), false );
  
  
 
  
  
// Create role authentication information and write the role information to UserData
  
  
SetLoginCookie (adminUserVO, adminUserVO. Roles. ToLower ());
  
  
 
  
  
HttpContext. Current. Response. Redirect ("Main. aspx ");
  
  
}
  
  
Else
  
  
{
  
  
HttpContext. Current. Response. Write ("Logon Failed ");
  
  
}
  
  
}
 
 

1. Analysis of Theme functions in ASP. NET development skills
2. ASP. NET Dynamic Compilation
3. Analysis on ASP. NET supported by Apache
4. Introduction to ASP. NET Server standard controls
5. Analysis on SQL Server Database Backup Recovery in ASP. NET