Forms authentication without a (visible) form

來源:互聯網
上載者:User
 

A user can browse your web-pages anonymous or as an authenticated user. This is set in the web.config of your site.

<authorization>
   <allow users="*" /> <!-- Allow all users -->
</authorization>

By default every user can browse any page. If you want to know who is requesting, deny the access to unknown users

<authorization>
  <deny users="?"/>
</authorization>

Now every user has to be authenticated to view a page. You set authentication on a page basis by adding sections to the web.config

<location path="AuthRequired.aspx">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>

Take a look at the asp.net forums app to get an idea how to use that. In a forum everybody can browse and read the posts but you have to be authenticated to (react on a) post.

ASP.NET has several ways of authentication built in: Windows integrated, Passport and forms. Using forms authentication the user is forced to a login page before visiting a page. This login page is also set from the web.config file

<authentication mode="Forms">
  <forms name=".MyAuthCookieName"
      loginUrl="AuthenticateHere.aspx"
      protection="All"
      timeout="30" />
</authentication>

On the login page the user enters a username and password which is supposed to be validated against the one or the other. When approved the code will set an authorization cookie. With this cookie the user can visit all pages shielded off without having to log in again and again. When the code issues a persistent cookie the login will persist over sessions. (Remember me).

But nothing forces you to pop up a form. Asp.Net doesn't care as long as the cookie is set. You could do this for instance

private void AuthenticateHere_Init(object sender, System.EventArgs e)
{
   if (isValidAddress(Context.Request.UserHostAddress))
   {
      System.Web.Security.FormsAuthentication.SetAuthCookie(Context.Request.UserHostAddress, false);
      string redirectUrl = Page.Request.QueryString["ReturnUrl"];
      if (redirectUrl != null)
      {
         Page.Response.Redirect(redirectUrl);
         Page.Response.End();
      }
   }
}

Right in the start of the pages lifecycle, in the init event of the page the cookie is set. Why the user deserves an authentication cookie is up to you, here I use a custom method IsValidAdress. After setting the cookie the response is ended and the app is redirected to the page requesting the authentication. FormsAuthentication passes the url in the querystring. In the browser toolbar you will see the Authenticate page being hit, on a succefull authentication the visual page itself jumps directly to the page requested in the querystring.

The nice thing about forms authentication that it is completely set from the web.config. This way you can hook your own authentication into an existing app. Like asp.net forums.

Peter

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.