.NET开发

本类阅读TOP10

·NHibernate快速指南(翻译)
·vs.net 2005中文版下载地址收藏
·【小技巧】一个判断session是否过期的小技巧
·VB/ASP 调用 SQL Server 的存储过程
·?dos下编译.net程序找不到csc.exe文件
·通过Web Services上传和下载文件
·学习笔记(补)《.NET框架程序设计(修订版)》--目录
·VB.NET实现DirectDraw9 (2) 动画
·VB.NET实现DirectDraw9 (1) 托管的DDraw
·建站框架规范书之——文件命名

分类导航
VC语言Delphi
VB语言ASP
PerlJava
Script数据库
其他语言游戏开发
文件格式网站制作
软件工程.NET开发
Forms authentication without a (visible) form

作者:未知 来源:月光软件站 加入时间:2005-2-28 月光软件站

 

A user can browse your web-pages anonymous or as an authenticated user. This is set in the web.config of your site.

<authorization>
   <allow users="*" /> <!-- Allow all users --
>
</authorization>

By default every user can browse any page. If you want to know who is requesting, deny the access to unknown users

<authorization>
  <deny users
="?"/>
</authorization>

Now every user has to be authenticated to view a page. You set authentication on a page basis by adding sections to the web.config

<location path="AuthRequired.aspx">
  <system.web
>
    <authorization
>
     
<deny users
="?"/>
    </authorization
>
  </system.web>

</location>

Take a look at the asp.net forums app to get an idea how to use that. In a forum everybody can browse and read the posts but you have to be authenticated to (react on a) post.

ASP.NET has several ways of authentication built in: Windows integrated, Passport and forms. Using forms authentication the user is forced to a login page before visiting a page. This login page is also set from the web.config file

<authentication mode="Forms">
  <forms name
=".MyAuthCookieName"
      loginUrl="AuthenticateHere.aspx"

      protection
="All"
      timeout="30"
/>
</authentication>

On the login page the user enters a username and password which is supposed to be validated against the one or the other. When approved the code will set an authorization cookie. With this cookie the user can visit all pages shielded off without having to log in again and again. When the code issues a persistent cookie the login will persist over sessions. (Remember me).

But nothing forces you to pop up a form. Asp.Net doesn't care as long as the cookie is set. You could do this for instance

private void AuthenticateHere_Init(object sender, System.EventArgs e)
{
   if (isValidAddress(Context.Request.UserHostAddress))
   {
      System.Web.Security.FormsAuthentication.SetAuthCookie(Context.Request.UserHostAddress, false
);
      string redirectUrl = Page.Request.QueryString["ReturnUrl"
];
      if (redirectUrl != null
)
      {
         Page.Response.Redirect(redirectUrl);
         Page.Response.End();
      }
   }
}

Right in the start of the pages lifecycle, in the init event of the page the cookie is set. Why the user deserves an authentication cookie is up to you, here I use a custom method IsValidAdress. After setting the cookie the response is ended and the app is redirected to the page requesting the authentication. FormsAuthentication passes the url in the querystring. In the browser toolbar you will see the Authenticate page being hit, on a succefull authentication the visual page itself jumps directly to the page requested in the querystring.

The nice thing about forms authentication that it is completely set from the web.config. This way you can hook your own authentication into an existing app. Like asp.net forums.

Peter




相关文章

相关软件