asp.net 在登录期间拒绝特定用户 cookie
asp.net deny specific user cookie during login
我正在尝试拒绝特定用户登录系统的管理区域,在它获得从现在起 30 天后到期的 FormsAuthenticationTicket 之后。我正在手动完成所有操作,并且正在使用 asp.net 网络表单。
我的登录码如下:
protected void btnLogin_Click(object sender, EventArgs e)
{
User u = LoginDataAccess.CheckLogin(txtEmail.Text, txtPassword.Text);
if (u.Id == 0)
{
lbInfo.Text = "Invalid credentials.";
lbInfo.CssClass = "label-warning";
}
else
{
LoginDataAccess.Authenticate(u, Response.Cookies, cbRememberMe.Checked);
}
}
而 LoginDataAccess.Authenticate 方法是这样的:
public static void Authenticate(User user, HttpCookieCollection cookies, bool remember)
{
GenericIdentity gi = new GenericIdentity(user.Name);
string role = UserRoles.GetRole(user.Roles);
GenericPrincipal gp = new GenericPrincipal(gi, new string[] { role });
FormsAuthentication.RedirectFromLoginPage(user.Name, true);
if (remember)
{
cookies.Clear();
DateTime expiryDate = DateTime.Now.AddDays(30);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, user.Nome, DateTime.Now, expiryDate, true, String.Empty);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authenticationCookie.Expires = ticket.Expiration;
cookies.Add(authenticationCookie);
}
}
我的检查登录方法为用户搜索数据库。我很清楚每次用户启动会话时我都需要这样做。如何做到这一点?
如果您想将自定义身份验证逻辑注入您的应用程序,请在 Global.asax 中创建一个名为 Application_AuthenticateRequest 的方法。那里的代码在内部身份验证机制之后立即执行。
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
var context = HttpContext.Current;
if (context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated)
{
if (SomeClass.UserIsExpired(context.User))
{
// Clear cookies or whatever you need to do
// Throw a 401 to deny access
throw new HttpException(401, "User account is expired");
}
}
}
有关身份验证如何发生的详细信息,请参阅此 post:
AuthenticateRequest event
我正在尝试拒绝特定用户登录系统的管理区域,在它获得从现在起 30 天后到期的 FormsAuthenticationTicket 之后。我正在手动完成所有操作,并且正在使用 asp.net 网络表单。
我的登录码如下:
protected void btnLogin_Click(object sender, EventArgs e)
{
User u = LoginDataAccess.CheckLogin(txtEmail.Text, txtPassword.Text);
if (u.Id == 0)
{
lbInfo.Text = "Invalid credentials.";
lbInfo.CssClass = "label-warning";
}
else
{
LoginDataAccess.Authenticate(u, Response.Cookies, cbRememberMe.Checked);
}
}
而 LoginDataAccess.Authenticate 方法是这样的:
public static void Authenticate(User user, HttpCookieCollection cookies, bool remember)
{
GenericIdentity gi = new GenericIdentity(user.Name);
string role = UserRoles.GetRole(user.Roles);
GenericPrincipal gp = new GenericPrincipal(gi, new string[] { role });
FormsAuthentication.RedirectFromLoginPage(user.Name, true);
if (remember)
{
cookies.Clear();
DateTime expiryDate = DateTime.Now.AddDays(30);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, user.Nome, DateTime.Now, expiryDate, true, String.Empty);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
authenticationCookie.Expires = ticket.Expiration;
cookies.Add(authenticationCookie);
}
}
我的检查登录方法为用户搜索数据库。我很清楚每次用户启动会话时我都需要这样做。如何做到这一点?
如果您想将自定义身份验证逻辑注入您的应用程序,请在 Global.asax 中创建一个名为 Application_AuthenticateRequest 的方法。那里的代码在内部身份验证机制之后立即执行。
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
var context = HttpContext.Current;
if (context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated)
{
if (SomeClass.UserIsExpired(context.User))
{
// Clear cookies or whatever you need to do
// Throw a 401 to deny access
throw new HttpException(401, "User account is expired");
}
}
}
有关身份验证如何发生的详细信息,请参阅此 post:
AuthenticateRequest event