问题描述
我有一个 asp.net 应用程序,它需要使用表单身份验证将用户登录到 Active Directory(Windows 身份验证不是具有给定要求的选项).
I have an asp.net app which needs to log users into Active Directory using forms authentication (windows authentication isn't an option with the given requirements).
我像这样保存身份验证 cookie:
I'm saving authentication cookies like so:
if (Membership.ValidateUser(model.UserName, model.Password)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); }
这很有效,除了即使用户更改了 Active Directory 密码后,cookie 也会对用户进行身份验证.
This works great, except that the cookie authenticates the user even after they change their Active Directory password.
有没有办法判断用户的密码是否已更改?
Is there a way to tell if the user's password has changed?
我在 .NET 4 中使用 asp.net MVC3
I'm using asp.net MVC3 with .NET 4
我的尝试
如果觉得这段代码应该可以工作,但是 HttpWebResponse 永远不会包含任何 cookie.不太确定我做错了什么.
If feel like this code should work, however the HttpWebResponse never contains any cookies. Not quite sure what I'm doing wrong.
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(Request.Url); request.CookieContainer = new CookieContainer(); HttpWebResponse response = (HttpWebResponse)request.GetResponse(); Cookie authCookie = response.Cookies["AuthCookie"]; if (authCookie.TimeStamp.CompareTo(Membership.GetUser().LastPasswordChangedDate) < 0) { authCookie.Expired = true; }
推荐答案
你的代码应该阅读
if (Membership.ValidateUser(model.UserName, model.Password)) { string userData = DateTime.Now.ToString(); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(30), isPersistent, userData, FormsAuthentication.FormsCookiePath); // Encrypt the ticket. string encTicket = FormsAuthentication.Encrypt(ticket); // Create the cookie. Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)); }
现在,当验证用户时
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName]; FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.value); if (DateTime.Parse(ticket.UserData) > Membership.GetUser().LastPasswordChangedDate) { FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(); }