[Tips] [ASP. Hack] uses Header fields in HTTP messages for authentication

In some WEB systems, authentication relies on a hardware certificate: A USB certificate is inserted on the computer, the browser plug-in reads information about the certificate, and then appends the identity information to the Header field when sending an HTTP login request. The idea of server-side processing of such login requests is also simple, which is to read HTTP Header-related information and then handle it accordingly.

In the Web site of the ASP. NET MVC architecture, you can naturally use such a mechanism, and the following is a demonstration of the procedure based on Visual Studio 2012.

First build an ASP. NET MVC 4 project.

When you select a template, leave the default values.

The system has set up some files according to the preset template, as shown in.

Because we need to modify the login logic, open AccountController.cs. The default code associated with user login is shown below.

Public ActionResult Login (Loginmodel model, string returnUrl) {    if (modelstate.isvalid && websecurity.login (model. UserName, model. Password, Persistcookie:model. RememberMe)    {        return redirecttolocal (RETURNURL);    }    If something goes wrong when we go to this step, the form    modelstate.addmodelerror ("", "supplied username or password is incorrect) is displayed again. ");    return View (model);}

Make the following modifications to it.

Public ActionResult Login (Loginmodel model, string returnUrl) {for (int i = 0; i < HttpContext.Request.Headers.Count ;        i++) {string key = HttpContext.Request.Headers.GetKey (i);        String value = HttpContext.Request.Headers.GetValues (i) [0];        In the HTTP header, we find a key "Connection" with value "keep-alive". We can use the key as the username, and the value as the password if (key = = "Connection") {I F (modelstate.isvalid) {if (Websecurity.login (key, value, Persistcookie:model.                RememberMe)) {return redirecttolocal (RETURNURL); }} modelstate.addmodelerror ("", "the supplied user name or password is incorrect.            ");        return View (model);    }}//In this case, we have overridden the username and password user enters.    So code below can removed. if (Modelstate.isvalid && websecurity.login (model. UserName, model. Password, PersiStcookie:model.    RememberMe)) {return redirecttolocal (RETURNURL); } modelstate.addmodelerror ("", "the supplied user name or password is incorrect.    "); return View (model);}

So the code changes are done. As the above note says, we are going to use one of the Connection in the HTTP Header as the username, whose value is keep-alive as the password. But in order to be able to log in, first register this user.

Once the registration is successful, the system will automatically log you in. In order to verify the changes you just made, first log off, and then reopen the login page, click Login directly.

Hey? The template also comes with basic JavaScript monitoring, so you can't log in without filling in anything. Let's just fill in a little.

then click Login.

As we expected, the server intercepted the relevant field in the HTTP Header as the user name and password, and the login was successful.

This article shows the basic idea of HTTP Header login under ASP., but there's a lot of other work to do, so let's go ahead.

[Tips] [ASP. Hack] uses Header fields in HTTP messages for authentication