All geek questions in one place

MVC saves a token in a session

I call the service, and I need to transfer a constant user security token with every request that I make.

To do this, I added this method to my base controller class:

protected UserData getUsr() { try { UserData usr = new UserData(); usr.SecurityToken = Session["secToken"].ToString(); MembershipUser mvcUser = Membership.GetUser(HttpContext.User.Identity.Name); usr.Id = (int)mvcUser.ProviderUserKey; return usr; } catch (Exception ex) { log.Debug("Could not create usr object", ex); throw new Exception("Could not authenticate"); } }

This problem is that sometimes User.Identity data carries session data, which leads to the appearance of strange errors with the fact that the user logs in, but then their requests are not executed.

Is there a better way to save this token / can I save it in such a way that it expires whenever the User.Identity object expires?

Also, if anyone knows of a good basic understanding of the examples / documentation for the HttpContext and MVC authorization filters, that would be great.

+4
source share
4 answers

I would like to put a cookie of forms cookie for storing user security token. Class FormsAuthenticationTicket contains a property UserData , in which you can add your additional information.

The value specified in the UserData property UserData included as part of the cookie of the authentication ticket and, like the other fields of the ticket, is encrypted and verified based on the authentication system configuration forms.

Here's an article that describes how you can store additional information in authentication cookies.

This is a great article that explains a lot about storing extra data in auth forms. cookie and how could you read it. The code is written in VB and is not well formatted. You need to scroll to page 4: save additional user data in the ticket.

This thread will give you a quick answer on how you could read UserData from a cookie.

I would like to create a custom ValueProvider , as described here , which will read the security token from auth. cookie and submit action parameters.

+5
source

You can put user security token, IP address and timestamp in the line. Encrypt the string using a symmetric algorithm such as AES and place it as a cookie. Then change your code to read from the cookie. You can verify that the IP address in the cookie matches the IP address of users, this will prevent someone from stealing the cookie value and reproducing it. Here is the MSDN documentation for AES (Rjindael's original name). In this scheme, the token does not expire before the cookie and / or your timeout expire. I highly recommend that you set a timeout and not make it permanent or permanent, this will make the circuit less secure to exclude a timeout. Also put a timestamp at the beginning of your cookie value, because of the CBC mode on these algorithms, this will affect how the encrypted string looks like due to changes in bits at the beginning (avalanche effect).

The ASP.NET Membership Provider also has an authentication cookie, so this cookie should not expire before the membership cookie. Sessions time out because there is no guarantee that the user still exists, since HTTP is stateless, while the cookie is under the user's control and is sent every time the request is made.

getUsr function

 protected UserData getUsr() { try { UserData usr = new UserData(); string token = Request.Cookies["secToken"].Value; // implement RijndaelManaged encryption/decryption scheme // this can also be serialized as an object to make cleaner var tokenValues = Decrypt(token).Split(','); // The timeout expired if (DateTime.Now > DateTime.Parse(tokenValues[1])) { throw new Exception("Timeout"); } // someone stole this cookie or is on a different internet connection if (tokenValues[0] != System.Web.HttpContext.Current.Request.UserHostAddress) { throw new Exception("Invalid IP"); } // You're ok everything checks out usr.SecurityToken = tokenValues[3].ToString(); MembershipUser mvcUser = Membership.GetUser(HttpContext.Current.User.Identity.Name); usr.Id = (int)mvcUser.ProviderUserKey; return usr; } catch (Exception ex) { log.Debug("Could not create usr object", ex); throw new Exception("Could not authenticate"); } }
+1
source

Perhaps what I am saying is very stupid, but I had a similar problem in the past, and I solved it by simply setting the session expiration time longer than during login. When you use the server, you can log in to website b with a security token that updates the session data, so it will probably work all the time when the user is logged in. The fact that the session has a long duration can not cause problems, since only a user registered in the system can use this data when a new user is registered in the old session record.

+1
source

If User.Identiy outperforms the session, why not save the token as a claim in Identity? Sort of:

  var claims = new[] { new Claim("access_token", string.Format("Bearer {0}", token)), }; var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie); Request.GetOwinContext().Authentication.SignIn(options, identity);
0
source

Source: https://habr.com/ru/post/1443360/

More articles:


All Articles