Preventing Cookie replay attacks in ASP.Net MVC -

-

I have been tasked with implementing point 4 in this article:

The subscription provider Uses include adding a comment to users' server side records, when they sign in and exit, and then confirm that the user is not logged out when used to authenticate the cookie is. This makes the right sense for me where it starts to separate, we do not currently use a membership provider, and it seems that I use all our authentication codes again to use a subscription provider. I am facing complete fulfillment. We currently check authentication in a controller, and call FormsAuthentication.SetAuthCookie () , once we know that the user exists

is it really Necciality, it will be a lot of work to force a membership provider. Can I roll in my own key value store of cookie values ​​to log in user and just make sure that when a user hits the logout button if it looks insecure, then does all this authenticity code Is there a way to implement a minimum membership provider without assigning it?

I think that my main problem here is that we decided a long time ago that the membership provider is not fit with the model model which we use for locking and unlocking accounts, and its Choose not to use. Now we find that MS's recommendations specifically mention a membership provider, and this is security because I need to ensure that they are not causing problems if they are not used.

Can I roll my key store of cookies values ​​to log in user and just make sure that when a user hits the logout button, So I can clear it.

Yes, you can do this. The membership provider keeps a small set of data about the user (username, email, password, last login, lost password question, lost answer to password).

If you do not want to fit retro membership providers, I will take the approach you mentioned. Whether the information is written in the comment field of the aspnet_Users table or in the field in your own table, it should not make any difference.

You also have your membership / authentication code. After that you can swap your current code for membership provider implementation when it is more convenient.


Comments

Post a Comment

Popular posts from this blog

oracle - The fastest way to check if some records in a database table? -

-
I have a big table to work with. I have to see that there are some records whose parent_id is equal to my passing value. Currently I do this by implementing "my_table using select count (*) where parent_id =: id"; If the result> 0, it means that they exist. Because this is a very large table, and I do not care what the actual number of records present, I just want to know if it exists, so I think count (*) Bit is disabled. How do I apply this requirement most quickly? I'm using Oracle 10. # Tips for Hibernation & amp; Tricks It suggests writing in such a way: Integer number = (integer) session .createQuery ("Select Count (*) to ...."). UniqueResult (); I do not know what is the magic of the unique rule? Why does it fast? To compare, select "1 from mytable where parent_id = passId and rowrum", which is more efficient? If you are not interested in the number of records, then there is an EXISTS query one: Select 'y'
Read more

php - multilevel menu with multilevel array -

-
Just ask someone to solve this problem? I want to create a multilevel menu I can not find the right solution generated with multilevel array, it always gets an array_push error My study came from the original idea But still my Can not match the need. This is my MySQL [code] ----- --------------------- --------------- | ID | PARENT_ID | Name | Link | Seq | 1 | 0 | Dashboad | Dashboard / | 1 | 2 | 0 | Menu 1 | Menu 1 / | 2 | 3 | 0 | Menu 2 | Menu 2 / | 3 | 4 | 0 | Menu 3 | Menu 3 / | 4 | 5 | 2 | Joint Add / | 1 | 6 | 3 | Joint Add / | 1 | 7 | 2 | Edit | Edit / | 2 | 8 | 4 | Joint Add / | 1 ------------------------------------------ [/ Code] I want to do something like this in my array array ('dashboard' = & gt; array ('id' = & gt; '' 'Dame' = & gt; 'Dashboard', 'Title' = & gt; 'Dashboard', 'MatchMin' = & gt; Base_URL (). 'Dashboard /', 'Active' => = & Gt; NULL), &
Read more

jQuery UI: Datepicker month format -

-
I am trying to change the format of the month that shows in the popup (not in the date that the picker actually I do not have any choice anywhere to do this, do I like to use a sub-string () or something else? What I normally display is Trying to change: Class = "ui-datepicker-title"> January & lt; / span & gt; ... & lt; / div & gt; Div>
Read more