我正在开发一个网站,其中管理员用户可以作为系统中的其他用户类型登录。我需要跟踪当前的“显示”用户和当前“登录”用户。最明显的地方似乎是会话,但是你遇到的挑战是保持会话超时与身份验证超时同步。
在这里查看我的问题: MVC session expiring but not authentication
处理此类情景的最佳做法是什么?
答案 0 :(得分:0)
除了超时/安全的常用web.config设置:
<location path="Portal/Dashboard">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<authentication mode="Forms">
<forms loginUrl="~/Portal/Logout" timeout="10" />
</authentication>
以下是我在控制器中处理此问题的方法:
loggedInPlayer = (Player)Session["currentPlayer"];
if (loggedInPlayer == null)
{
loggedInPlayer = Common.readCookieData(User.Identity);
}
if (loggedInPlayer.UserID > 0)
{
//Dude's signed in, do work here
}
else
{
return PartialView("Logout");
}
然后对于我的LogOut()控制器方法,我说:
public ActionResult Logout()
{
Session["currentPlayer"] = null;
FormsAuthentication.SignOut();
return RedirectToAction("Index", "Home", new { l = "1"}); //Your login page
}
为了处理我的饼干:
public static Player readCookieData(System.Security.Principal.IIdentity x)
{
Player loggedInPlayer = new Player();
if (x.IsAuthenticated)
{
loggedInPlayer.UserID = 0;
if (x is FormsIdentity)
{
FormsIdentity identity = (FormsIdentity)x;
FormsAuthenticationTicket ticket = identity.Ticket;
string[] ticketData = ticket.UserData.Split('|');
loggedInPlayer.UserID = Convert.ToInt32(ticketData[0]);
loggedInPlayer.UserFName = ticketData[1];
loggedInPlayer.UserLName = ticketData[2];
}
}
else
{
loggedInPlayer.UserID = 0;
loggedInPlayer.UserFName = "?";
loggedInPlayer.UserLName = "?";
}
return loggedInPlayer;
}