A while ago two friends asked me why the session value was not available in HttpModule because they wanted to customize a httpmodule and then get the session in it for user authentication. I wonder why I don't use the validation mechanisms already provided by the. Net framework, and do it by hand, as with ASP, by Cookie+session validation? We are programming on the. NET Framework platform, so I think in many cases the use of the framework's established mechanisms can significantly increase productivity, and the. NET Framework's built-in validation mechanisms are often more secure.
. NET provides a complete set of authentication and authorization mechanisms, where authentication and authorization are different concepts, validation (authentication) means "prove you are really what you say", usually provide a username and password, and then compare with the user name and password in persistent storage (such as a database). Authorization (Authorization) refers to "whether you have sufficient authority to do something", when your identity has been proven (anonymous user, member or administrator), and authorization is usually associated with the user group or user level. Different groups of users have different permissions (access to specific pages or perform specific actions).
Recall that I had just contacted. NET, has also been completely bypassed. Net authentication, self-coding with cookie+session for authentication, and an ASP. The reason for that was: I'm going to use a custom user table, I can't use the ASP. NET security mechanism in APP_ A series of data tables in the Aspnetdb.mdf automatically generated under Data . Besides, there is another reason, that is . NET authentication mechanism core IPrincipal and identity provide too little information user information, when using the inherited User property (IPrincipal type) in the page post code, its identity property has only one name associated with the user data ( AuthenticationType and isauthenticated are all related to validation, and many times we need a lot of additional user data. In fact, this is only a misunderstanding, that using the authentication mechanism and login control of ASP will have to use the data table accompanying it, so that identity can only carry a name attribute.
As a matter of fact. NET security mechanism includes several parts, in addition to validation, including membership, profile, role, etc., we can only use its authentication mechanism, and bypass its membership, profile and role, to achieve the usual we use cookies +session complete functionality, and is more efficient and more secure. This article will quickly implement such a process.
I must stick to the end