組態檔:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".AuthKey" defaultUrl="Default.aspx" cookieless="UseCookies" slidingExpiration="false"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
登錄操作:
protected void btnLogin_Click(object sender, EventArgs e)
{
var isPersistent = false;
FormsAuthentication.SetAuthCookie("admin", isPersistent);
this.Response.Redirect(FormsAuthentication.DefaultUrl);
}
退出登錄操作:
protected void Page_Load(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
//清除客戶端的Cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);
Session.Abandon();
//重置登錄身份(沒效果)
HttpContext.Current.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
}
演示效果:
未登錄前,嘗試訪問要求登錄的頁面
難道因為FormAuth的驗證機制,這個票證是無法清除的?
如果有人非法獲取了AuthKey,即使用戶退出且修改了密碼,惡意請求AuthKey過來的話,還是可以成功登錄的,需要另外增加限制?
參考資料:
FormsAuthentication.SignOut Method (System.Web.Security) | Microsoft Docs
https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.signout?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_SignOut
決議ASP.NET中獲取不到用戶名及注銷后User.Identity.IsAuthenticated值依然為true的原因-十有三博客
https://shiyousan.com/post/636409990481316726
uj5u.com熱心網友回復:
全部原始碼:鏈接:https://pan.baidu.com/s/1fvk2MIIdVgkFH_D3q8mE5g
提取碼:iil8
uj5u.com熱心網友回復:
Session/Authentication not removed server-side after logout | The ASP.NET Forumshttps://forums.asp.net/t/1988295.aspx?Session+Authentication+not+removed+server+side+after+logout
uj5u.com熱心網友回復:
你本來就把鑰匙放在cookies里面,然后從這里拿到鑰匙當然可以模擬開鎖了。要么用其他方式驗證,要么鎖打開之后加一層驗證。
uj5u.com熱心網友回復:
如果正常過期了,即使傳了“鑰匙”過來,也開不了鎖,那ASP.NET是如何實作原來這個鑰匙過期的?
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/127353.html
標籤:ASP.NET