All geek questions in one place

Preventing Attempts to Play Cookies in ASP.Net MVC

I was instructed to implement point 4 in this article: http://support.microsoft.com/kb/900111

This is due to the use of the membership provider to add a comment to user accounts on login and logout, and then confirming that when the cookie is used for authentication, the user is not logged out. That makes sense to me. Where this begins to fall apart, we do not use a membership provider, so it seems to me that I need to redefine our entire authentication code to use the membership provider. We are currently checking authentication in the controller and making a call to FormsAuthentication.SetAuthCookie() as soon as we know that the user exists. It would be very difficult to get a membership provider.

All this work is really necessary. Can I collapse my own store of key cookie values ​​for users to log in and just make sure that I delete it when the user clicks the logout button. If this seems unsafe, is there a way to implement a minimum membership provider to perform these checks without passing the entire authentication code to it?

I assume that my main problem is that we have long decided that the membership provider model is not suitable for the model that we use to lock and unlock accounts, and decided not to use it. Now we find that the recommendations of MS specifically mention the provider of membership, and since this is security, I must be sure that not using it, as they recommend, will not cause problems.

+4
source share
2 answers

Can I minimize my own store of key cookie values ​​for users to log in and just make sure I clear this when the user removes the logout button.

Yes you can do it. The membership provider stores a small set of user information (username, email address, password, last login, question with a lost password, response to a lost password, etc.).

If you do not want the retro to match the membership provider, I would take the approach you mentioned. Regardless of whether the information is written in the comment field of the aspnet_Users table or in the bit field in your own table, this should not matter.

You may also need to set the interface for your membership / authentication code. Then you can change your current code to the implementation of the membership provider when it becomes more convenient.

+1
source

I found MembershipProvider very useful. This allows me, as a developer, to use SQLMembershipProvider against the local user database, and then when I transfer it to production, I just use ActiveDirectoryMembershipProvider and I do not need to change the line of code (except for my web.config file).

Using your CustomMembershipProvider, you can overload any of the authentication methods and perform any other checks that you want to use inside these methods.

If you decide to switch to the MembershipProvider scheme, I don’t think you will regret it. It may be painful in the short term, but in the end, I think you will see that it paid off. Since you already have your authentication code written on your controller, is it not so difficult to combine it into a way to use MembershipProvider?

... is there a way to implement a minimum membership provider to perform these checks without passing all the authentication code to it?

MP is one of those cases where it is best to let him do what he does best. If you try to use only part of it here, and part of it there, when possible, will cause some headaches in the future. He knows what he must do and going around it, although it is possible, will require additional work, which may be unnecessary.

+1
source

Source: https://habr.com/ru/post/1299114/

More articles:


All Articles