表单身份验证适用于IIS中禁用的表单身份验证

Question

我有一个使用基于表单的身份验证的应用程序。我以前从未用过这个。以下是示例示例代码：

private bool ValidateUser(string userName, string password, string strConnectionString)
        {
            SqlConnection conn;
            SqlCommand cmd;
            string lookupPassword = null;

            // Check for invalid userName.
            // userName must not be null and must be between 1 and 15 characters.
            if ((null == userName) || (0 == userName.Length) || (userName.Length > 15))
            {
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.");
                return false;
            }

            // Check for invalid passWord.
            // passWord must not be null and must be between 1 and 25 characters.
            if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25))
            {
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.");
                return false;
            }

            try
            {
                // Consult with your SQL Server administrator for an appropriate connection
                // string to use to connect to your local SQL Server.
                //conn = new SqlConnection(connectionstringremoved);
                conn = new SqlConnection(strConnectionString)

                conn.Open();
                Error.Text = "Got here";

                // Create SqlCommand to select pwd field from users table given supplied userName.
                cmd = new SqlCommand("Select pwd from users where uname=@userName", conn);
                cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25);
                cmd.Parameters["@userName"].Value = userName;

                // Execute command and fetch pwd field into lookupPassword string.
                lookupPassword = (string)cmd.ExecuteScalar();

                // Cleanup command and connection objects.
                cmd.Dispose();
                conn.Dispose();
            }
            catch (Exception ex)
            {
                // Add error handling here for debugging.
                // This error message should not be sent back to the caller.
                System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.ToString());
               Error.Text = ex.ToString();

            }

            // If no password found, return false.
            if (null == lookupPassword)
            {
                // You could write failed login attempts here to event log for additional security.
                return false;
            }

            // Compare lookupPassword and input passWord, using a case-sensitive comparison.
            return (0 == string.Compare(lookupPassword, passWord, false));

        }

我已将此应用程序发布到IIS 6.1，我注意到无论是否启用了表单身份验证，它都能正常工作（在下面的情况下禁用它）。

我对基本身份验证有同样的疑问。

我认为它与启用匿名身份验证有关，即启用匿名身份验证还默认启用表单身份验证 - 或类似的东西。但是，我找不到任何支持此声明的文档。

Answer 1

您已启用匿名身份验证。

这实际上意味着您没有身份验证，因为匿名身份验证允许所有人进入身份验证。