Authentication configuration in asp.net

最新推荐文章于 2025-09-09 15:40:52 发布
转载 最新推荐文章于 2025-09-09 15:40:52 发布 · 225 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:http://www.cnblogs.com/chucklu/p/7805550.html
文章标签:

#测试

本文详细介绍了ASP.NET中的身份验证配置与实现方式,包括自定义表单身份验证、Windows身份验证等,并探讨了HttpCookie类在身份验证中的作用及配置选项。

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

 

authentication Element (ASP.NET Settings Schema)

Configures an ASP.NET application for custom forms–based authentication.

<authentication mode="Windows">
   <forms 
      name=".ASPXAUTH" 
      loginUrl="login.aspx" 
      defaultUrl="default.aspx" 
      protection="All" 
      timeout="30" 
      path="/" 
      requireSSL="false" 
      slidingExpiration="true" 
      cookieless="UseDeviceProfile" domain="" 
      enableCrossAppRedirects="false">
      <credentials passwordFormat="SHA1" />
   </forms>
   <passport redirectUrl="internal" />
</authentication>

<forms> Element

loginUrl  Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is default.aspx.

name  Specifies the HTTP cookie to use for authentication. By default, the value of name is .ASPXAUTH. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each application's Web.config file.

timeout  Specifies the amount of time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision. Persistent cookies do not time out.

slidingExpiration  Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expiration upon each request during a single session.

           true  Specifies that sliding expiration is enabled. The authentication cookie is refreshed and the time to expiration is reset on subsequent requests during a single session. The default for version 1.0 of ASP.NET was true.

           false  Specifies that sliding expiration is not enabled and the cookie expires at a set interval from the time it was originally issued. The default is false.

defaultUrl  

Optional attribute.

Defines the default URL that is used for redirection after authentication.

This attribute is new in the .NET Framework version 2.0.

The default is "default.aspx".

path  

Optional attribute.

Specifies the path for cookies that are issued by the application.

The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.

 上面的部分属性可以在IIS中进行配置

<authentication mode="Forms">  
  <forms loginUrl="member_login.aspx"  
    cookieless="UseCookies"  
    path="/MyApplication" />  
</authentication>  

FormsAuthentication类中的静态字段

 https://stackoverflow.com/questions/879321/formsauthentication-formscookiepath

https://www.quirksmode.org/js/cookies.html

Domain and path

Each cookie also has a domain and a path. The domain tells the browser to which domain the cookie should be sent. If you don't specify it, it becomes the domain of the page that sets the cookie, in the case of this page www.quirksmode.org.
Please note that the purpose of the domain is to allow cookies to cross sub-domains. My cookie will not be read by search.quirksmode.org because its domain is www.quirksmode.org . When I set the domain to quirksmode.org, the search sub-domain may also read the cookie.
I cannot set the cookie domain to a domain I'm not in, I cannot make the domain www.microsoft.com . Only quirksmode.org is allowed, in this case.

The path gives you the chance to specify a directory where the cookie is active. So if you want the cookie to be only sent to pages in the directory cgi-bin, set the path to /cgi-bin. Usually the path is set to /, which means the cookie is valid throughout the entire domain.
This script does so, so the cookies you can set on this page will be sent to any page in the www.quirksmode.org domain (though only this page has a script that searches for the cookies and does something with them).

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_path

 

 

HttpCookie

Provides a type-safe way to create and manipulate individual HTTP cookies.

The HttpCookie class gets and sets properties of individual cookies. The HttpCookieCollection class provides methods to store, retrieve, and manage multiple cookies.

ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of the HttpRequest object contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the Cookies collection of the HttpResponse object contains new cookies created on the server and transmitted to the client in the Set-Cookie HTTP response header.

 

HttpCookie.Path

 Gets or sets the virtual path to transmit with the current cookie.

The virtual path to transmit with the cookie. The default is /, which is the server root.

The Path property extends the Domain property to completely describe the specific URL to which the cookie applies.

For example, in the URL http:/www.microsoft.com/asp, the domain is www.microsoft.com and the path is /asp.

 

HttpCookie.Domain

Gets or sets the domain to associate the cookie with.

The name of the domain to associate the cookie with. The default value is the current domain.

Setting the Domain attribute limits transmission of the cookie to clients requesting a resource from that domain.

 

 

 

 

启用windows 授权的话,需要在IIS中打开,参考https://docs.kentico.com/k10/managing-users/user-registration-and-authentication/configuring-windows-ad-authentication

 

sessionState Element (ASP.NET Settings Schema)

https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx

timeout

Optional TimeSpan attribute.

Specifies the number of minutes a session can be idle before it is abandoned. The timeout attribute cannot be set to a value that is greater than 525,600 minutes (1 year) for the in-process and state-server modes.

The session timeout configuration setting applies only to ASP.NET pages. Changing the session timeout value does not affect the session time-out for ASP pages. Similarly, changing the session time-out for ASP pages does not affect the session time-out for ASP.NET pages.

The default is 20 minutes.

 https://msdn.microsoft.com/en-us/library/ms178581.aspx

 

转载于:https://www.cnblogs.com/chucklu/p/7805550.html

ASP.Net MVC登录及授权
m0_46704355的博客
04-16 384
在OnApplicationInitialization里添加鉴权和授权。
分享一个 ASP.NET WebForm 使用 Form Authentication 的例子
yangshuquan的专栏
06-04 1459
Form Authentication 是一种经典而又灵活的身份验证的方式,配合近些年比较流行的 LDAP/AD 域账户,账户的安全由 LDAP/AD 域分配和控制,Form Authentication 的灵活性和方便性就体现出来了
Spring Security Config : AuthenticationConfiguration
Details Inside Spring
05-06 2884
源代码版本 : Spring Security Config 5.1.4.RELEASE Spring Security认证组件bean配置类。 源代码 package org.springframework.security.config.annotation.authentication.configuration; // 省略 imports /** * Exports the a...
SpringSecurity------AuthenticationConfiguration配置类
豢龙先生
12-25 2928
SpringSecurity------AuthenticationConfiguration配置类一、AuthenticationConfiguration主要做了什么二、AuthenticationConfiguration是怎样被加载的三、WebSecurityConfiguration的源码分析1、属性字段2、注入了一些Bean3、输出了一些Bean4、一些内部类5、关键方法6、关键注解@Import(ObjectPostProcessorConfiguration.class) 一、Authent
Authentication in asp.net
weixin_34026484的博客
11-08 213
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs https://docs.microsoft.com/en-us/iis/configuration/system.webser...
学习014-01-02-02-03 OAuth2 Authentication Providers in ASP.NET Web Forms Applications(ASP.NET Web Form
DevExpress Xaf 学习专栏
07-23 1139
本文介绍了在ASP.NET Web Forms应用程序中集成OAuth2身份验证提供程序的方法,重点演示了Microsoft账户登录的实现。文章首先指导开发者在服务提供商注册应用,并配置Web.config文件设置表单认证模式和回调路由。接着详细说明了所需NuGet包的安装步骤,包括Microsoft.Owin、身份验证相关包和Microsoft.Identity.Web等。随后通过创建Startup类配置OWIN服务,使用OpenID Connect实现身份认证流程,并强调需要从Azure门户获取客户端I
Asp.net core使用Authentication使用jwt简单登录认证
qq_43014802的博客
08-09 650
webapi使用jwt;研究了两天,简单使用就这些,如果需要token续期或者刷新或者自定义校验处理需要重写比较麻烦。配置jwt所需配置,再appsettings.json文件。在controller中单独获取请求头可使用。使用流程是:先认证登录 -> 再校验权限。安装依赖,.net8版本为例。
ASP.NET Authentication - Form Authentication
tomcat的专栏
09-08 1452
1.概念 ASP.NET的应用最开始是部署在企业内部,登录之后才能访问。如果用户直接访问非登录页,网站会先校验用户是否已登录,如果答案是否,网站认为当前的访问是未经授权的,网站立即跳转到登录页,登录之后跳转到之前访问的页面。这种以登录表单作为认证的方式就是表单认证(Form Authentication) 表单认证是最简单的认证方式,优点是配置十分简单,缺点是所有的页面(除登录页)必须经过
学习014-01-02-02-01 Active Directory and OAuth2 Authentication Providers in ASP.NET Core Blazor Applic
DevExpress Xaf 学习专栏
07-22 799
摘要:本文介绍了在ASP.NET Core Blazor应用程序中集成Active Directory和OAuth2身份验证的方法。主要内容包括:必须使用标准身份验证作为基础;配置Windows身份验证的步骤(修改launchSettings.json和Startup.cs文件);如何自动创建带默认角色的新用户;以及设置未授权用户重定向页面以避免无限循环。适用于需要在现有XAF解决方案中扩展认证方式的开发场景,提供了EF Core和XPO两种数据访问方式的代码示例。
aspnet-core-3-jwt-authentication-api:ASP.NET Core 3.1 JWT身份验证API
01-30
ASP.NET Core 3.1 JWT身份验证API是一个用于构建安全Web API的重要技术栈,它允许开发者为客户端应用程序提供基于JSON Web Token(JWT)的身份验证。JWT是一种轻量级的、安全的身份验证机制,广泛应用于单页应用...
使用Azure Active Directory和OpenID Connect在ASP.NET Core 2.0中进行身份验证和授权
04-05
本文将深入探讨如何利用Azure Active Directory(Azure AD)和OpenID Connect在ASP.NET Core 2.0框架中实现这一目标。Azure AD是一种云身份管理解决方案,它允许开发人员构建安全的应用程序并连接到全球数百万个组织...
C# ASP.NET 身份验证方式全面解析
记录学习的过程
05-22 1082
本文深入探讨了 ASP.NET 中的多种身份验证机制,包括 Cookie 身份验证、JWT 身份验证、OAuth 和 OpenID Connect、Windows 身份验证以及基于声明的身份验证。每种机制都有其独特的实现原理和适用场景。Cookie 身份验证通过加密的 Cookie 存储用户信息,JWT 身份验证则使用 JSON 令牌进行用户身份确认。OAuth 和 OpenID Connect 允许通过第三方身份提供商进行验证,Windows 身份验证适用于企业内部网络,而基于声明的身份验证则将用户身份表
基于Qwen Coder的上下文工程编程框架,为AI辅助开发提供标准化流程
m0_38007743的博客
09-07 1115
随着 AI 编程技术的快速发展,如何有效地利用 AI 助手进行高质量的代码开发成为业界关注的焦点。本项目是一个基于提示词工程方法论的 AI 辅助开发框架,运行于Qwen Coder CLI 平台。它通过提供结构化的提示词模板和验证机制,引导 AI 生成高质量、可运行的代码,并确保代码质量。FEATURE定义要实现的功能特性EXAMPLES提供参考示例和最佳实践列出必要的技术文档和资源考虑安全、部署等其他重要因素将 commands目录下的文件拷贝到 Qwen Coder 安装目录的。
AI驱动的软件测试:革命性的自动化、缺陷检测与实验优化
zzywxc787的博客
09-06 704
人工智能(AI)和机器学习(ML)技术的融入,正在从根本上重塑软件测试的格局,将其从一种主要是手动的、重复性的任务转变为一种智能的、预测性的、且持续优化的过程。*说明:多臂老虎机算法(MAB)由于将更多流量分配给了更好的版本B,其累积回报(点击次数)的增长速度远快于传统A/B测试(固定50/50分流)。: 利用NLP技术(如文本分类)自动分析新提交的Bug报告的内容、标题和描述,将其自动分类(如“前端UI问题”、“后端API错误”),并推荐或分配给最合适的开发人员(基于谁修改了相关代码文件)。
飞算JavaAI炫技赛:电商系统开发全流程实战解析
2301_81073317的博客
09-05 1641
飞算JavaAI插件通过智能化手段实现Java开发全流程自动化,显著提升电商系统开发效率。该工具能自动完成需求分析、架构设计、代码生成等环节,将传统3-5天的开发周期缩短至30分钟。核心优势包括:需求智能解析(自然语言转功能点)、可视化开发流程、80%代码自动生成。但存在通用模块缺失、接口功能重叠、测试覆盖不足等局限,综合评分8.8/10。特别适合中小企业快速构建标准化业务系统,但对高定制化、高性能场景支持有限。未来可通过增强需求分析能力、完善测试自动化等方向优化,成为连接业务与技术的智能化开发平台。
分布式通信平台测试报告
2302_81016149的博客
09-06 601
抽象层(abstract.hpp):定义基础接口,包括消息、缓冲区、协议、连接、服务器和客户端等。工具层(detail.hpp):提供日志、JSON序列化、UUID生成等基础工具。消息层(message.hpp):实现各种消息类型,如RPC请求/响应、主题请求/响应、服务请求/响应等。网络层(net.hpp):基于muduo网络库实现TCP服务器和客户端,处理网络通信。分发器(dispatcher.hpp):实现消息分发机制,根据消息类型调用对应的处理函数。
python 自动化测试
m0_68405758的博客
09-08 692
123456789101112131415161718192021222324252627282930313233343536。
什么是Jmeter? Jmeter工作原理是什么?
最新发布
HUACE5400的博客
09-09 570
Apache JMeter 是 Apache 组织开发的基于 Java 的压力测试工具。用于对软件做压力测试,它最初被设计用于 Web 应用测试,但后来扩展到其他测试领域。它可以用于测试静态和动态资源,例如静态文件、Java 小服务程序、CGI 脚本、Java 对象、数据库、FTP 服务器, 等等。JMeter 可以用于对服务器、网络或对象模拟巨大的负载,来自不同压力类别下测试它们的强度和分析整体性能。
ASP.NET身份验证机制详解
ASP.NET提供了几种不同的身份验证方法,但最常用的是"Forms Authentication",它是一种基于Web的形式,不同于传统的Windows或Passport身份验证方式。Forms Authentication允许开发者创建自定义的登录界面和流程,...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值