0
我在博客上發佈了關於Sessions和Cookies的信息。下面是詳細介紹保持MVC中會話中的用戶信息不安全
會議
- 會話更安全
- 會議是在服務器上
餅乾
- Cookies是在客戶端
- 不太安全
- 一旦禁用瀏覽器就很難使用。
在上述論證的基礎上,我用在登錄系統的會話保持UserId,UserName & roleName
現在角色名的基礎上,我將決定是這是Admin進入到管理員節與否。
我已經使用這個代碼在模型MVC
public bool LoginMe()
{
Int64 Error;
//create db
Database db = DatabaseFactory.CreateDatabase("DBContext");
DbCommand dbCommand = db.GetStoredProcCommand("ValidateUser");
db.AddInParameter(dbCommand, "@Username", DbType.String, this.UserName);
db.AddInParameter(dbCommand, "@Password", DbType.String, EncryptPassword(this.Password));
db.AddOutParameter(dbCommand, "@Error", DbType.Int64, 10);
DataSet dsResult = db.ExecuteDataSet(dbCommand);
Error = Convert.ToInt64(db.GetParameterValue(dbCommand, "@Error"));
if (Error == 1100)
{
try
{
var query = (from o in dsResult.Tables[0].AsEnumerable()
select new AllUser
{
UserId = o.Field<int>("UserId"),
UserName = o.Field<string>("UserName"),
roleName = o.Field<string>("roleName"),
}).Single(); // this will raise an exception if there isn't just one record returned
Session["UserId"] = query.UserId;
Session["UserName"] = query.UserName;
Session["roleName"] = query.roleName;
return true;
}
catch {
// do nothing and let method return false as something has gone wrong.
// add logging here if you are using it to show there has been a problem
}
}
return false;
}
我用它在瀏覽像@Session["UserId"]
現在像
If you aren't using https and securing the session cookie then this might make it easy to hack your site, although that's the same for any session based site (nearly all of them)
It might be nice to add some check so that if you remove a user's rights, the session variables are deleted the next time that user requests something from the server,
otherwise they could carry on using the site even though their account it banned.You'd have to decide if this is likely and then how you want to do this (using an authorization filter maybe.)
上述評論這方面的專家意見搞糊塗了。任何機構能否清楚說明?保存這些信息的最佳方法是什麼?