以最佳做法登錄？

Question

我正在開發一個管理員用戶可以在系統中以其他用戶類型登錄的網站。我在那裏需要跟蹤當前的「顯示」用戶和當前的「登錄」用戶。最明顯的地方似乎是會話，但你有挑戰保持會話超時與認證超時同步。

見我的問題在這裏： MVC session expiring but not authentication

什麼是處理這類場景的最佳做法？

Answer 1

除了爲超時/安全通常的web.config設置：

<location path="Portal/Dashboard"> 
<system.web> 
    <authorization> 
    <deny users="?" /> 
    </authorization> 
</system.web> 
</location> 

<authentication mode="Forms"> 
    <forms loginUrl="~/Portal/Logout" timeout="10" /> 
</authentication> 

以下是我在我的控制器處理這個問題：

 loggedInPlayer = (Player)Session["currentPlayer"]; 
     if (loggedInPlayer == null) 
     { 
      loggedInPlayer = Common.readCookieData(User.Identity); 
     } 
     if (loggedInPlayer.UserID > 0) 
     { 
      //Dude's signed in, do work here 
     } 
    else 
     { 
      return PartialView("Logout"); 
     } 

然後我退出（）控制器方法我說：

public ActionResult Logout() 
    { 
     Session["currentPlayer"] = null; 
     FormsAuthentication.SignOut(); 
     return RedirectToAction("Index", "Home", new { l = "1"}); //Your login page 
    } 

對於加工餅乾，我有：

public static Player readCookieData(System.Security.Principal.IIdentity x) 
    { 
     Player loggedInPlayer = new Player(); 
     if (x.IsAuthenticated) 
     { 
      loggedInPlayer.UserID = 0; 
      if (x is FormsIdentity) 
      { 
       FormsIdentity identity = (FormsIdentity)x; 
       FormsAuthenticationTicket ticket = identity.Ticket; 
       string[] ticketData = ticket.UserData.Split('|'); 
       loggedInPlayer.UserID = Convert.ToInt32(ticketData[0]); 
       loggedInPlayer.UserFName = ticketData[1]; 
       loggedInPlayer.UserLName = ticketData[2]; 
      } 
     } 
     else 
     { 
      loggedInPlayer.UserID = 0; 
      loggedInPlayer.UserFName = "?"; 
      loggedInPlayer.UserLName = "?"; 
     } 
     return loggedInPlayer; 
    }