我可能需要添加某种后门,其中sysadm可以使用仅知道客户用户名的客户帐户登录到aspnet.mvc站点。
这是否可行,例如使用来自aspnet membershipprovider的哈希密码或超级用户密码?
答案 0 :(得分:0)
如果您想获得后门访问权限,则无需知道用户的密码。只是他们的用户名
您只需撰写FormsAuthentication.SetAuthCookie(username, false)即可。
只需确保限制对此功能的访问。例如,创建一个名为“Authentication Agent”的角色。在执行后门访问的控制器操作方法中,请确保仅允许“身份验证代理”角色中的用户使用它。
[HttpPost]
[Authorize("Authentication Agent")]
public virtual ActionResult SignInAs(SignInAsForm model)
{
if (model != null)
{
MembershipUser member = null;
if (!string.IsNullOrWhiteSpace(model.UserName))
{
model.UserName = model.UserName.Trim();
member = Membership.GetUser(model.UserName);
}
if (member == null)
ModelState.AddModelError("UserName", string.Format(
"Username '{0}' could not be found.", model.UserName));
if (ModelState.IsValid)
{
Session["WasSignedInAs"] = User.Identity.Name;
FormsAuthentication.SetAuthCookie(model.UserName, false);
TempData["FlashMessage"] = string.Format(
"Impersonation was successful. You are signed in as {0}.",
model.UserName)
if (!string.IsNullOrWhiteSpace(model.ReturnUrl))
return Redirect(model.ReturnUrl);
return RedirectToAction(FormsAuthentication.DefaultUrl);
}
return View(model);
}
return HttpNotFound();
}