我试图在我的登录表单上实现“记住我”功能。我正在使用ASP.NET MVC作为我的Web应用程序。我设法使cookie的工作正常,但是我没有自动登录用户,以防他/她检查之前记住我的复选框。我知道问题是什么,但我不知道如何解决它。
在我的HomeController中,我有以下内容:
private Loginviewmodel CheckLoginCookie() { if (!string.IsNullOrEmpty(_appCookies.Email) && !string.IsNullOrEmpty(_appCookies.Password)) { var login = new Loginviewmodel { Email = _appCookies.Email,Password = _appCookies.Password }; return login; } return null; } public ActionResult Index() { var login = CheckLoginCookie(); if (login != null) return RedirectToAction("Login","User",login); var viewmodel = new HomeIndexviewmodel { IntroText = "Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s,when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries,but also the leap into electronic typesetting,remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.",LastMinuteDeals = new List<ItemsIndexviewmodel>(),TrustedDeals = new List<ItemsIndexviewmodel>() }; return View(viewmodel); }
在我的UserController中,我有Login操作方法:
public ActionResult Login() { return PartialView(new Loginviewmodel()); } [HttpPost] public ActionResult Login(Loginviewmodel dto) { bool flag = false; if (ModelState.IsValid) { if (_userService.AuthenticateUser(dto.Email,dto.Password,false)) { var user = _userService.GetUserByEmail(dto.Email); var uSession = new UserSession { ID = user.Id,Nickname = user.Nickname }; SessionManager.RegisterSession(SessionKeys.User,uSession); flag = true; if(dto.RememberMe) { _appCookies.Email = dto.Email; _appCookies.Password = dto.Password; } } } if (flag) return RedirectToAction("Index","Home"); else { ViewData.Add("InvalidLogin","The login info you provided were incorrect."); return View(dto); } }
所以基本上,我想我会做的是将用户从Index操作结果重定向到主控制器,以防有一个登录cookie。但是问题是,RedirectToAction将触发GET登录操作方法,而不是POST用于注册用户。
解决方法
首先,您不应该将用户的凭据存储在cookie中。这是非常不安全的。密码将按照每个请求进行传递,并以用户的机器上的纯文本格式存储。
第二,不要重新发明,特别是在安全方面,你永远都不会这样做。
ASP.Net已经通过Forms Autonitcation和Membership Providers安全地提供了这个功能。你应该看看。创建默认的MVC项目将包括基本身份验证设置。官方MVC site有更多。
更新
您仍然可以使用.NET表单身份验证而不实现成员资格提供程序。在一个基本的水平上,它将像这样工作。
您在web.config中启用表单身份验证
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="2880" /> </authentication>
您使用[授权]属性来装饰您想要保护的动作或控制器。
[Authorize] public ViewResult Index() { //you action logic here }
然后创建一个基本的登录操作
[HttpPost] public ActionResult Login(Loginviewmodel dto) { //you authorisation logic here if (userAutherised) { //create the authentication ticket var authTicket = new FormsAuthenticationTicket( 1,userId,//user id DateTime.Now,DateTime.Now.AddMinutes(20),// expiry rememberMe,//true to remember "",//roles "/" ); //encrypt the ticket and add it to a cookie HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,FormsAuthentication.Encrypt(authTicket)); Response.Cookies.Add(cookie); return RedirectToAction("Index"); } }