发表新帖
发表新帖

Is there any good reason why the authentication cookie and the session state cookie are two separate cookies?

后端 未结
关注
3 806
后悔当初
后悔当初 2021-01-22 18:54

Is there any good reason why ASP.NET\'s session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to \"tie\" them to each other? Is it po

3条回答
  • 猫巷女王i
    猫巷女王i (楼主)
    2021-01-22 19:14

    I'll start with a solution, then an explanation followed by a recommendation.

    Create a custom authorization attribute:

    Since your application defines Authorized as follows:

    • Logged in
    • Must have values in Session["UserID"] and Session["Password"]

    you need to define your own AuthorizationAttribute

        public class AuthorizedWithSessionAttribute : AuthorizeAttribute
    {    
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if(httpContext.Request.IsAuthenticated && 
                Session["UserID"] != null && Session["Password"] != null)
                return true;

            // sign them out so they can log back in with the Password
            if(httpContext.Request.IsAuthenticated)
                FormsAuthentication.SignOut(); 

            return false;
        }
    }

    Replace all your [Authorize] attributes with [AuthorizedWithSession] and you shouldn't need to put session check code in your controllers.

    I don't know enough about your application, but saving passwords in session (even worse in plain text) is not a secure thing to do.

    In addition, as RPM1984 said, the session cookie and authentication cookie are separate.

    Explanation:

    Think of the session as a bucket of info (on the server side) with your name on it. ASP.NET can take and put stuff in that bucket. ASP.NET gives you a name, your session id, and puts it on the bucket so it can know which one is yours.

    The authentication cookie tells ASP.NET that you're authenticated and stores your authentication name in it. The authentication name is usually set by the developer of the application and is usually a unique key (think primary key in a DB) to separate you from the other users.

    Recommendation to be more secure:

    Encrypt the passwords before your store them. This is not total security, but it beats storing passwords in plain text and of course, if someone were to get a hold of the encryption key, they can crack the passwords.

    0 讨论(0)
 看不清?
提交回复
热议问题