Details about membership/role that you may not know

Source: Internet
Author: User
Tags what sql

1. About system. Web. Security. Membership. validateuser ("username", "password ")

Every time you call this, do you notice what SQL statements are executed?

(A) if the user name does not exist, the following statement is executed:
Exec DBO. aspnet_checkschemaversion @ feature = n 'common', @ compatibleschemaversion = n'1'

Exec DBO. aspnet_checkschemaversion @ feature = n 'Membership ', @ compatibleschemaversion = n'1'

Exec DBO. aspnet_membership_getpasswordwithformat @ applicationname = n' app _ luckty ', @ username = n 'username', @ updatelastloginactivitydate = 1, @ currenttimeutc = '2017-06-02 12: 22: 34: 563''

(B) if the user name exists, in addition to the preceding statements, the following two statements will be executed:
Exec sp_reset_connection

Exec DBO. response @ applicationname = n'app _ luckty ', @ username = n'yjmyzz @ 126.com', @ ispasswordcorrect = 0, @ updatelastloginactivitydate = 1, @ maxinvalidpasswordattempts = 999, @ passwordattemptwindow = 999, @ currenttimeutc = ''2009-06-02 12: 26: 04: 173'', @ lastlogindate = ''2009-06-02 12: 15: 53: 860 '', @ lastactivitydate ='' 2009-06-02 12: 15: 53: 860''

What is the use of sp_reset_connection?

Description on http://msdn.microsoft.com/zh-cn/library/ms187961 (SQL .90). aspx

The sp_reset_connection stored procedure is used by SQL Server to support remote stored procedure calls in transactions. When you reuse a connection from a connection pool, this stored procedure also triggers the audit login and audit logout events.

2. if (user. identity. isauthenticated ){...} or if (user. isinrole ("rolename ")){...} where does the system know whether the current user has logged on (or belongs to a role )?

(A. Guess one :)Will the database be queried? Of course not. If you believe it, You can monitor the SQL statements of the database.
(B. Second guess :)Is it in session? No. Do not believe enablesessionstate = "false". Try again, as if it can still run.
(C. Guess 3 :)Is it in the cookie? By the way, do not disable the cookie (we recommend that you use the most BT method to set the Documents and Settings \ Administrator \ cookies directory to be read by no user), and then you will not be able to log on to the system.

3. Apart from formsauthentication. signout (), is there any other way to log out the "current" user, or how to log out the "specified" User? 

From 2, it is easy to think that as long as you can find the client cookie of a specific user and make it expire, you can see the followingCode:
Httpcookie _ cookie = formsauthentication. getauthcookie (username, true );
_ Cookie. expires = datetime. Now. adddays (-1 );
Httpcontext. Current. response. Cookies. Add (_ cookie );

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.