Session management and linking user accounts with OpenID, in ASP.NET
I am currently playing with DotNetOpenAuth to make an ASP.NET (C#) website use OpenID instead of the normal login-password routine for user and session handling.
Up till now, I have added the DotNetOpenAuth.dll
into my project and tried a test login page with the following:
<rp:OpenIdLogin ID="OpenIdLogin1" runat="server" />
When I run the page, I enter a valid myopenid url and the website redirects to the myopenid page, where I enter my password, and upon success, it returns back to my default.aspx
, due to the following in my web.config
:
<authentication mode="Forms">
<forms defaultUrl="/Default.aspx" l开发者_如何转开发oginUrl="~/Login.aspx"/>
</authentication>
Now that the user is "logged in", how can handle my session? At the moment, I don't know how I can, for example, check if the session is still alive or how to terminate the session.
My basic question is, how can I manage the session once the user is authenticated with OpenID ?
[Update]
I am now using the following to check for authentication: HttpContext.Current.User
, and with that I can now check if a user is authenticated with a session.
Now is there a possible way on how I can "link" user details that are stored in my database with an openid account?
OpenID logins with the OpenIdLogin
control are (by default) no different than a username+password login from ASP.NET's point of view. As you've discovered HttpContext.Current.User
is set on each incoming HTTP request based on an HTTP cookie that ASP.NET FormsAuthentication sends to the browser in order to keep the session consistent from request to request. While you're in a page or its code-behind, the Page.User
property is an even more convenient means.
But if you're doing access control, rather than check whether there's a logged in user in every page, it's best to use the <authorization>
tag in your web.config file to force the user to be logged in before accessing certain pages or directories of pages.
As far as linking user details, the key you want to associate with your users' details is the OpenID Claimed Identifier, which is what OpenIdLogin
automatically assigns to the Username value for FormsAuthentication. So you can retrieve or store user details in your database based on the value of HttpContext.Current.User.Identity.Name
, which will be the reliable and proven unique value for each user.
精彩评论