Question

我在ASP.Net MVC5中创建了一个网站，并在其中使用了登录功能，它在localhost上工作正常，但是当我上传网站服务器时，服务器会在每次点击时将我重定向到登录页面。

以下是登录功能

public ActionResult DoLogin(string username, string password)
    {
        if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
        {
            var user = new UserRepository().GetAll()
                                            .Where(u => u.UserName.ToUpper() == username.Trim().ToUpper()
                                                    && u.Password == password).SingleOrDefault();
            if (user != null)
            {
                FormsAuthentication.SetAuthCookie(user.UserName,true);

                var authTicket = new FormsAuthenticationTicket(1, user.UserName, DateTime.Now, DateTime.Now.AddHours(24), true, user.Roles);
                string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
                var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
                HttpContext.Response.Cookies.Add(authCookie);

                Session["Name"] = user.Name;
                return RedirectToAction("Index", "Student");
            }
        }
        ViewBag.ErrorMessage = "User Name or Password is incorrect";
        return View("Login");
    }

然后我在Global.asax.cs文件中添加了以下功能。

 protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
    {
        var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie != null)
        {
            FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            if (authTicket != null && !authTicket.Expired)
            {
                var roles = authTicket.UserData.Split(',');
                HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(new FormsIdentity(authTicket), roles);
            }
        }
    }

之后我在每个Controller之前添加了[Authorize(Roles = "Admin")]（不是在Controller中的方法之前）我想限制访问。

现在，每当我登录时，它会将我重定向到学生控制器的索引方法，之后我点击其他链接再次将我带到登录页面。有时它需要我点击链接而不带我登录页面。我的代码有问题吗？它在localhost上运行正常。

Answer 1

您要分配两次授权凭证;

        if (user != null)
        {
            //FormsAuthentication.SetAuthCookie(user.UserName,true); Remove it
            var authTicket = new FormsAuthenticationTicket(1, user.UserName, DateTime.Now, DateTime.Now.AddHours(24), true, user.Roles);
            string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
            var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
            HttpContext.Response.Cookies.Add(authCookie);

            Session["Name"] = user.Name;
            return RedirectToAction("Index", "Student");
        }

另外，我建议您不要将角色存储在Cookie中，因为如果用户角色已被删除或添加了新角色，则无法更新。所以，

 protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
    {
        var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie != null)
        {
            FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            if (authTicket != null && !authTicket.Expired)
            {
                var roles = authTicket.UserData.Split(',');//fill it from database and it could be better to use cache mechanism for performance concern
                HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(new FormsIdentity(authTicket), roles);
            }
        }
    }

用户身份验证失败

1 个答案: