Last post Aug 11, 2017 08:49 AM by zxj
Jul 26, 2017 11:07 AM|denya.work|LINK
I want to know everything about MVC authorization step by step what happens.
One example what I want is the same thing as people posts for https
1. When user enter login and password:
System try to find user with such name and check hash of password.
2. If such account exists
Then it has two keys - private and public based on machine key
Then it takes user id and use one of this key to enctypt data.
And write this data to coockie
3. When we need to check that such user exists
cookie data can be readed on server.
So we get encrypted data and try to decrypt it.
Fix my mistakes and make picture full.
What algorithm is used for encryption, what key and how write to cookie
Jul 26, 2017 03:00 PM|bruce (sqlwork.com)|LINK
there are many authentication schemes, and the template supplies a lot of the code, but I assume you mean the default forms authentication.
1) yes. the password is stored as a one way hash (can not be converted back to the password).
2) No, typically a two way hash is used (typically SHA1), as only the originator needs to decrypt the cookie data. the cookie data is the UserName, not id. You can store additional data in the cookie.
3) Yes, the server decrypts the cooke data to the login name, the key is know as the machine key in the webconfig. if not specified, a key is generated at startup. an auto key will not work after a recycle, nor with a web farm.
Jul 26, 2017 03:05 PM|denya.work|LINK
I am interesting at AspNet Identity authentication.
Jul 27, 2017 07:50 AM|Jean Sun|LINK
It seems that the MS doesn't have some documents that introduce how the ASP.NET Identity authenticate a user in detail.
However, here are some Recommended Resources of ASP.NET Identity in the following link which is helpful to understand the ASP.NET Identity.
Jul 27, 2017 10:20 AM|denya.work|LINK
I have this question on two interview.
So threre are people in the world who know the answer.
That's why I post this question here.
I cannot find such info in book.
That's why I am still waiting for help and answer about Identity.
One man told me something about symmetric encryption.
Aug 11, 2017 08:49 AM|zxj|LINK
ASP. NET identity is the Open-source project that Microsoft contributes to providing the authentication, authorization, and so on of ASP.Net.
ASP.NET Identity - GitHub
1. When the user uses the browser, the first time into the ASP. NET Platform.
2. Because the login has not yet completed, the ASP. NET is judged to be "not logged in."
3. The user is asked to use the resource if it is a controller or action labeled [authorize]. The [authorize] label will return the HTTP 401 status code if the user is not logged in.
4. Applicationcookiemiddleware is an identity mount to ASP. NET middleware, this middleware will intercept the HTTP 401 status code.
5. After Applicationcookiemiddleware intercepts the HTTP 401 status code, it changes the return content. Return the HTTP 302 status code and the URL of a login page instead.
6.The browser receives the HTTP 302 status code, which automatically jumps to the URL of the login page that is entrained by the postback content.
7. ASP. NET platform will return the login page to the browser, requiring users to log in the job.
Authentication (Facebook validation as an example)1. The login page will link to the Externallogin action after
the user chooses to use Facebook to authenticate on the login page.
2. Externallogin will return a challengeresult to trigger challenge after receiving the user's option to use Facebook for verification. Because the user chooses to use Facebook to authenticate, the challenge action
is left to the facebookauthenticationmiddleware for processing.
3. Facebookauthenticationmiddleware then initiates a OAuth process to exchange information between Facebook platforms and user browsers to authenticate a user.
4. After completing the OAuth process, Facebookauthenticationmiddleware can build a fbuser according to the user information obtained.
5. Fbuser will be taken as a parameter for the signin action. This signin action will be directed to the identity Mount Externalcookiemiddleware to execute.
6. In Externalcookiemiddleware, the Fbuser is encoded as a cookie content and appended to the postback content.
7. After the signin action is completed, Facebookauthenticationmiddleware changes the return content. Instead, return the HTTP 302 status code, Fbuser encoded as cookie content, and a externallogincallback URL.
Authorization1.The browser receives the HTTP 302 status code, which automatically jumps to the Externallogincallback URL that
is entrained by the return content, and also the fbuser that is encoded as the content of the cookie.
2. ASP. NET decodes the Fbuser from the cookie content and defines the login status as "not logged in" according to the definition of the encoding fbuser as a cookie.
3. The Fbuser will then be presented to ASP. NET identity to obtain the system-used appuser from the identity. This appuser also contains role data that is authorized to the user, in addition to user-related data.
4. Appuser will be taken as a parameter for the signin action. This signin action will be directed to the identity Mount Applicationcookiemiddleware to execute.
5. In Applicationcookiemiddleware, the appuser is encoded as a cookie content and appended to the postback content.
6. After the signin action is completed, the ASP. NET identity changes the returned content. Replace the HTTP 302 status code with the Appuser encoded as the cookie content.
1. After completing the above process. Each time the user enters the ASP. NET platform using a browser, the appuser that is encoded as the content of the cookie is entrained.
2. ASP. NET decodes the Appuser from the cookie contents and defines the login status as "logged in" according to the definition of the encoding appuser as a cookie.
3. A resource that the user requires to use, if it is a controller or action that is labeled [authorize]. The [Authorize] tab distinguishes users from being logged in, allowing and executing functional content.
4. ASP. NET platform executes the function content, will return the function page to the browser. This completes the process of the entire ASP. NET Identity Login.