问题描述

我已经实现ASP.Net身份在这里以下示例code后：
https://github.com/rustd/AspnetIdentitySample

I have implemented ASP.Net Identity after following the sample code here:https://github.com/rustd/AspnetIdentitySample

在我执行我检查，如果用户进行身份验证 - 这是从我的MVC控制器一个名为FilterAttribute;这个想法是我想确认他们所服务的页面中前仍auth'ed。

In my implementation I check if a user is authenticated - this is called from a FilterAttribute on my MVC Controllers; the idea is i want to confirm they are still auth'ed before serving up the page.

所以在我的过滤器，下面的code，最终被调用：

So in my filter, the following code eventually gets called:

_authenticationManager.User.Identity.IsAuthenticated;

_authenticationManager 是在这里：

private IAuthenticationManager _authenticationManager
{
    get
    {
        return _httpContext.GetOwinContext().Authentication;
    }
}

的 _httpContext 传递到我的identityProvider类的构造函数。

The _httpContext is passed into the constructor of my identityProvider class.

现在 - 我一旦登录， _authenticationManager.User.Identity.IsAuthenticated; 收益真正预期。

Now - once I have logged in, _authenticationManager.User.Identity.IsAuthenticated; returns true as expected.

不过，在开发过程中，我甩了，并重新播种我的数据库，无需添加用户。所以，有效的，我删除了IdentityUser - 但 _authenticationManager.User.Identity.IsAuthenticated; 仍然返回真正

However, during development, i dumped and re-seeded my database, without adding a user. So effectively, I have deleted the IdentityUser - yet _authenticationManager.User.Identity.IsAuthenticated; STILL returns true

任何想法，这是为什么？我只能假设它莫名其妙地检查一个cookie，而不是实际看DB。它是否正确？

any idea why this is? I can only assume it's somehow checking a cookie, rather than actually looking at the DB. is this correct?

还是我搞砸了我的执行.....

Or have i messed up my implementation.....

推荐答案

此不作 IsAuthenticated 一个安全漏洞。让我们来看看实际的验证过程。

This does not make IsAuthenticated a security hole. Let's look at the actual authentication process.

1. 您设置在各地的地方登录页面是你的web.config一些东西，登录多久好以及是否使用滑动过期（应该在时间，如果用户是活跃在您的扩展网站）

1. You setup some stuff in your web.config around where the login page is, how long the login is good for and whether or not to use sliding expiration (should the time be extended if the user is active on your site)

用户来到你的网站，输入自己的用户名和密码。

User comes to your site, enters their username and password.

这信息发布到服务器。你把这些信息，验证它是正确的（身份验证）。如果它是正确的，然后服务器发出名为的FormsAuthenticationTicket 注意一个加密的Cookie - 这可能在新身份的东西有不同的名字，但同样的原则。

That information is posted to your server. You take that information, verify that it is correct (authenticate). If it is correct, the server then issues an encrypted cookie known as the FormsAuthenticationTicket Note - this could have a different name in the new Identity stuff, but the same principle.

cookie的内容包括诸如登录的用户名和截止日期。

The cookie's contents includes items such as the user name and expiration date of the login.

在每个请求，服务器会查看该cookie收集身份验证cookie。如果找到，它解密并读取值，并确定这仍是一个有效的cookie（过期时间）。一旦它具有从cookie中的用户信息，服务器可以使用该信息来确定用户是否被授权请求（由用户名查找）的资源

On each request, the server looks at the cookie collection for the authentication cookie. If found, it decrypts it, reads the values and determines if this is still a valid cookie (expiration time). Once it has the user information from the cookie, the server can use this information to determine if the user is authorized for the resource requested (look up by username).

5a上。如果cookie是不是present，或已过期，则该用户被重定向到登录页面。

5a. If the cookie is not present, or has expired, then the user is redirected back to the login page.

6.当用户注销时，cookie从Cookie集合中删除。现在，如果用户试图去一个资源是对于只有授权的用户，则服务器在上述图5a结束

6.When the user logs out, the cookie is deleted from the cookie collection. Now, if the user tries to go to a resource that is for authorized users only, then the server ends up at 5a above.

所以，你的情况，你手动删除的用户。这不会改变该用户拥有previously被验证了仍然有效的cookie的事实。因此， IsAuthenticated 正在恢复的预期值。你改变了他的用户状态前的用户进行验证。 IsAuthenticated 并不意味着，这是用户仍然在我的数据库中有效。

So, in your case, you deleted a user manually. This does not change the fact that this user has previously been authenticated with a still valid cookie. Therefore, IsAuthenticated is returning the expected value. The user has authenticated before you changed his user status. IsAuthenticated does not mean, is this user still valid in my database.

如果你要运行一个网站，你经常删除/禁用用户，然后覆盖 AuthorizeAttribute OnRequestAuthorization 方法code>来看看，看看用户是否确实仍然在数据库中。此外，请注意，如果用户名不是present（因为你删除了它），然后为角色的任何外观UPS /用户id将失败。您可以捕获该异常/故障，并返回属性未授权的响应。

If you are going to be running a site where you are constantly deleting/deactivating users, then override the OnRequestAuthorization method of the AuthorizeAttribute to look and see if the user is actually still in the database. Also, note that if the username is not present (because you deleted it), then any look ups for role / userId will fail. You can catch that exception / failure and return the property unauthorized response.

这篇关于ASP.Net身份Identity.IsAuthenticated依然如此，甚至删除用户后，的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！