考察 ASP.NET 2.0的Membership, Roles, and Profile - Part 4
2007-09-02 12:02
531 查看
本文英文原版及代码下载:
http://aspnet.4guysfromrolla.com/articles/050306-1.aspx#postadlink
考察 ASP.NET 2.0的Membership, Roles, and Profile - Part 4
导言:
ASP.NET 2.0 的Membership class类有一个ValidateUser(userName, password)方法,返回一个布尔值。用于验证用户的登录信息是否有效.该方法被Login Web控件自动调用,当然如果需要的话也可以通过编程调用.在Membership system,有几种情况,用户无法通过验证:
1.username无效
2.username有效,但password无效
3.username和password都有效,但
.用户可能还未被核准(approved)
.用户被锁定(locked out),原因可能是用户用无效密码登录了好几次( 默认为5次)
不幸的是,如果登录失败,ValidateUser(userName, password)方法只会返回一个False,而不包含为什么登录失败的具体原因.对Login控件而言,当ValidateUser(userName, password)方法返回False的同时,默认还会显示一个消息:"Your login attempt was not successful. Please try again." 如果是这种情况,用户被锁定(locked out)或帐户还未被核准——此时他们的username和password都没问题,显示这样的消息就让用户感到困惑了.在本文,我们将在登录过程中添加额外的反馈信息,以避免这种尴尬的情况.
审核和锁定(Locked Out)用户帐户
ASP.NET 2.0 Membership system里的用户帐户,我们可以利用Membership 和 MembershipUser classes类以编程的方式访问并进行修改.Membership包含一系列的方法以返回某一个或所有用户的信息、更新某个用户的信息等;而MembershipUser class类包含的属性描述了某个用户的具体情况(UserName, Email, LastLoggedOnDate等等).
Membership system可以将用户帐户标记为inactive(未审批)和locked out.当创建一个新帐号时,默认是被审批的.然后在某些情况下,你可能希望让管理员手动批准新帐户,或者是其它自动方式来审批(比如,点击一个确认连接发送邮件).不管是哪种方式,刚创建的用户都会被标记为inactive.这样,该用户就无法登录网站,因为ValidateUser(userName, password)总是返回False,无论用户名和密码是否正确.
由于验证过程是通过一个基于窗体的构架(forms-based scheme),只是简单的通过一个HTTP request来发送用户认证(credential).这样,某个攻击者便可以尝试破解某个用户帐户,方法是编写脚本遍历一个通用密码字典(a dictionary of common passwords),对某个特定的帐户,用字典里的所有密码尝试进行登录.为阻止这种攻击,如果在特定时间段内用无效密码登录了特定次数后,Membership system自动将某个用户锁定.默认设置为在10分钟内(a ten minute window)无效登录5次.当然,我们可以在Web.config文件里对其进行定制.和未审批用户一样,被锁定的用户同样不能登录网站,无论其用户名和密码是否正确.为了对用户进行解锁,需要调用MembershipUser class类的UnlockUser()方法.当从Login Web控件登录失败时,我们可以对登录页面进行定制以显示更多恰当的消息.
登录失败时显示更有价值的消息
当用户用Login Web控件进行登录时就会触发其LoginError事件.该事件不会传递指明登录失败的任何信息.不过,我们可以通过Login控件的UserName 和 Password属性来获取该用户的username 和 password.我们可以调用Membership.GetUser(userName)方法来获取用户帐户的信息. 该方法返回一个MembershipUser对象,我们可以检查其IsApproved 和 IsLockedOut属性来判定为何用户的认证被认为是无效的.
下面的代码显示了如何来实现它.最终的帮助信息显示在一个名为LoginErrorDetails的Label Web控件里.你在本文的下载代码里可看到Login页面的完整代码和声明.
Protected Sub Login1_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles
Login1.LoginError
'There was a problem logging in the user
'See if this user exists in the database
Dim userInfo As MembershipUser = Membership.GetUser(Login1.UserName)
If userInfo Is Nothing Then
'The user entered an invalid username...
LoginErrorDetails.Text = "There is no user in the database with the username " &
Login1.UserName
Else
'See if the user is locked out or not approved
If Not userInfo.IsApproved Then
LoginErrorDetails.Text = "Your account has not yet been approved by the site's
administrators. Please try again later..."
ElseIf userInfo.IsLockedOut Then
LoginErrorDetails.Text = "Your account has been locked out because of a maximum
number of incorrect login attempts. You will NOT be able to login until you contact a site
administrator and have your account unlocked."
Else
'The password was incorrect (don't show anything, the Login control already describes
the problem)
LoginErrorDetails.Text = String.Empty
End If
End If
End Sub
使用上面的代码,用户登录失败后将看到更有意义的消息.下面的截屏显示的是以Bruce(其帐户已被锁定)和Alfred(其帐户还未被审批)的名字登录的情形.没有上述的事件处理器,他们都只能看到标准的"Your login attempt was not successful. Please try again." 提示消息.很明显,他们将感到很迷惑,无法意识到其帐户已经被锁定或未被审批.
图1
图2
由于ASP.NET 2.0 Membership system可以锁定用户帐户并不再接受登录.如此情况,可提供一个快速反馈,看哪些用户被锁定,哪些用户未被审批.要捕获这些信息,我在membership数据库里创建了一个InvalidCredentialsLog表,其构架如下:
图3
Membership system包含一个ApplicationID,它允许多个应用程序在一个数据库里存储各自的用户帐户.理想情况下,该表应包含ApplicationID,并只报告当前应用程序的那些无效认证(假定你用一个单一的membership store来应对多个应用程序).我将其作为练习留给读者.
接下来,我将创建一个存储过程——InvalidCredentialsLog_Insert,它存储用户的username, password,和IP address.它检查当前username是否与aspnet_Users表里的用户匹配,若是,则提取用户的IsApproved 和 IsLockedOut列的值,然后添加到InvalidCredentialsLog_Insert表.
当用户无效登录时,需要调用该存储过程,并传入用户信息.为此,我创建了一个ID为InvalidCredentialsLogDataSource的SqlDataSource控件,设置其调用该存储过程,然后我们对Login Web控件的LoginError事件处理器进行扩充,为该存储过程设置参数并调用它:
Protected Sub Login1_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles
Login1.LoginError
'Set the parameters for InvalidCredentialsLogDataSource
InvalidCredentialsLogDataSource.InsertParameters("ApplicationName").DefaultValue =
Membership.ApplicationName
InvalidCredentialsLogDataSource.InsertParameters("UserName").DefaultValue = Login1.UserName
InvalidCredentialsLogDataSource.InsertParameters("IPAddress").DefaultValue =
Request.UserHostAddress
'The password is only supplied if the user enters an invalid username or invalid password -
set it to Nothing, by default
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue = Nothing
'There was a problem logging in the user
'See if this user exists in the database
Dim userInfo As MembershipUser = Membership.GetUser(Login1.UserName)
If userInfo Is Nothing Then
'The user entered an invalid username...
LoginErrorDetails.Text = "There is no user in the database with the username " &
Login1.UserName
'The password is only supplied if the user enters an invalid username or invalid password
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue =
Login1.Password
Else
'See if the user is locked out or not approved
If Not userInfo.IsApproved Then
LoginErrorDetails.Text = "Your account has not yet been approved by the site's
administrators. Please try again later..."
ElseIf userInfo.IsLockedOut Then
LoginErrorDetails.Text = "Your account has been locked out because of a maximum
number of incorrect login attempts. You will NOT be able to login until you contact a site
administrator and have your account unlocked."
Else
'The password was incorrect (don't show anything, the Login control already describes
the problem)
LoginErrorDetails.Text = String.Empty
'The password is only supplied if the user enters an invalid username or invalid
password
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue =
Login1.Password
End If
End If
'Add a new record to the InvalidCredentialsLog table
InvalidCredentialsLogDataSource.Insert()
End Sub
此外,我还构建了一个报告页面,在一个可分页、排序的GridView控件.如下所示,该页面也包含在下载内容里
.
图4:
就一般的网站而言,该InvalidCredentialsLog表可能会很大。我们可以采取一些措施来将超过某个时间的老的记录删除(比如3个月前的记录)。上面显示出来的报告很简单,对大数据的结果也没有进行优化处理.它使用默认的分页,从数据库将每个页面的数据都检索出来。如果想自定义分页,仅仅检索当前页面所需要的记录,请参阅文章《Custom Paging in ASP.NET 2.0 with SQL Server 2005》(http://aspnet.4guysfromrolla.com/articles/031506-1.aspx)
结语:
本文,我们看如何对登录过程进行优化,当被锁定或未为被审批的用户登录时显示更有意义的信息.这都要感谢Membership API,它可以通过编程、显式地(通过数据源控件)、或Web控件(比如Login Web控件)来访问.在下载代码里有一个Admin页面,它用一个GridView控件将系统的所有用户列出来,允许用户查看其审批状态、将锁定的用户解锁、查看某人用户是否是Administrator角色(只有Administrator角色才能查看与管理相关的页面)
祝编程快乐!
http://aspnet.4guysfromrolla.com/articles/050306-1.aspx#postadlink
考察 ASP.NET 2.0的Membership, Roles, and Profile - Part 4
导言:
ASP.NET 2.0 的Membership class类有一个ValidateUser(userName, password)方法,返回一个布尔值。用于验证用户的登录信息是否有效.该方法被Login Web控件自动调用,当然如果需要的话也可以通过编程调用.在Membership system,有几种情况,用户无法通过验证:
1.username无效
2.username有效,但password无效
3.username和password都有效,但
.用户可能还未被核准(approved)
.用户被锁定(locked out),原因可能是用户用无效密码登录了好几次( 默认为5次)
不幸的是,如果登录失败,ValidateUser(userName, password)方法只会返回一个False,而不包含为什么登录失败的具体原因.对Login控件而言,当ValidateUser(userName, password)方法返回False的同时,默认还会显示一个消息:"Your login attempt was not successful. Please try again." 如果是这种情况,用户被锁定(locked out)或帐户还未被核准——此时他们的username和password都没问题,显示这样的消息就让用户感到困惑了.在本文,我们将在登录过程中添加额外的反馈信息,以避免这种尴尬的情况.
审核和锁定(Locked Out)用户帐户
ASP.NET 2.0 Membership system里的用户帐户,我们可以利用Membership 和 MembershipUser classes类以编程的方式访问并进行修改.Membership包含一系列的方法以返回某一个或所有用户的信息、更新某个用户的信息等;而MembershipUser class类包含的属性描述了某个用户的具体情况(UserName, Email, LastLoggedOnDate等等).
Membership system可以将用户帐户标记为inactive(未审批)和locked out.当创建一个新帐号时,默认是被审批的.然后在某些情况下,你可能希望让管理员手动批准新帐户,或者是其它自动方式来审批(比如,点击一个确认连接发送邮件).不管是哪种方式,刚创建的用户都会被标记为inactive.这样,该用户就无法登录网站,因为ValidateUser(userName, password)总是返回False,无论用户名和密码是否正确.
由于验证过程是通过一个基于窗体的构架(forms-based scheme),只是简单的通过一个HTTP request来发送用户认证(credential).这样,某个攻击者便可以尝试破解某个用户帐户,方法是编写脚本遍历一个通用密码字典(a dictionary of common passwords),对某个特定的帐户,用字典里的所有密码尝试进行登录.为阻止这种攻击,如果在特定时间段内用无效密码登录了特定次数后,Membership system自动将某个用户锁定.默认设置为在10分钟内(a ten minute window)无效登录5次.当然,我们可以在Web.config文件里对其进行定制.和未审批用户一样,被锁定的用户同样不能登录网站,无论其用户名和密码是否正确.为了对用户进行解锁,需要调用MembershipUser class类的UnlockUser()方法.当从Login Web控件登录失败时,我们可以对登录页面进行定制以显示更多恰当的消息.
登录失败时显示更有价值的消息
当用户用Login Web控件进行登录时就会触发其LoginError事件.该事件不会传递指明登录失败的任何信息.不过,我们可以通过Login控件的UserName 和 Password属性来获取该用户的username 和 password.我们可以调用Membership.GetUser(userName)方法来获取用户帐户的信息. 该方法返回一个MembershipUser对象,我们可以检查其IsApproved 和 IsLockedOut属性来判定为何用户的认证被认为是无效的.
下面的代码显示了如何来实现它.最终的帮助信息显示在一个名为LoginErrorDetails的Label Web控件里.你在本文的下载代码里可看到Login页面的完整代码和声明.
Protected Sub Login1_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles
Login1.LoginError
'There was a problem logging in the user
'See if this user exists in the database
Dim userInfo As MembershipUser = Membership.GetUser(Login1.UserName)
If userInfo Is Nothing Then
'The user entered an invalid username...
LoginErrorDetails.Text = "There is no user in the database with the username " &
Login1.UserName
Else
'See if the user is locked out or not approved
If Not userInfo.IsApproved Then
LoginErrorDetails.Text = "Your account has not yet been approved by the site's
administrators. Please try again later..."
ElseIf userInfo.IsLockedOut Then
LoginErrorDetails.Text = "Your account has been locked out because of a maximum
number of incorrect login attempts. You will NOT be able to login until you contact a site
administrator and have your account unlocked."
Else
'The password was incorrect (don't show anything, the Login control already describes
the problem)
LoginErrorDetails.Text = String.Empty
End If
End If
End Sub
使用上面的代码,用户登录失败后将看到更有意义的消息.下面的截屏显示的是以Bruce(其帐户已被锁定)和Alfred(其帐户还未被审批)的名字登录的情形.没有上述的事件处理器,他们都只能看到标准的"Your login attempt was not successful. Please try again." 提示消息.很明显,他们将感到很迷惑,无法意识到其帐户已经被锁定或未被审批.
图1
图2
由于ASP.NET 2.0 Membership system可以锁定用户帐户并不再接受登录.如此情况,可提供一个快速反馈,看哪些用户被锁定,哪些用户未被审批.要捕获这些信息,我在membership数据库里创建了一个InvalidCredentialsLog表,其构架如下:
图3
Membership system包含一个ApplicationID,它允许多个应用程序在一个数据库里存储各自的用户帐户.理想情况下,该表应包含ApplicationID,并只报告当前应用程序的那些无效认证(假定你用一个单一的membership store来应对多个应用程序).我将其作为练习留给读者.
接下来,我将创建一个存储过程——InvalidCredentialsLog_Insert,它存储用户的username, password,和IP address.它检查当前username是否与aspnet_Users表里的用户匹配,若是,则提取用户的IsApproved 和 IsLockedOut列的值,然后添加到InvalidCredentialsLog_Insert表.
当用户无效登录时,需要调用该存储过程,并传入用户信息.为此,我创建了一个ID为InvalidCredentialsLogDataSource的SqlDataSource控件,设置其调用该存储过程,然后我们对Login Web控件的LoginError事件处理器进行扩充,为该存储过程设置参数并调用它:
Protected Sub Login1_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles
Login1.LoginError
'Set the parameters for InvalidCredentialsLogDataSource
InvalidCredentialsLogDataSource.InsertParameters("ApplicationName").DefaultValue =
Membership.ApplicationName
InvalidCredentialsLogDataSource.InsertParameters("UserName").DefaultValue = Login1.UserName
InvalidCredentialsLogDataSource.InsertParameters("IPAddress").DefaultValue =
Request.UserHostAddress
'The password is only supplied if the user enters an invalid username or invalid password -
set it to Nothing, by default
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue = Nothing
'There was a problem logging in the user
'See if this user exists in the database
Dim userInfo As MembershipUser = Membership.GetUser(Login1.UserName)
If userInfo Is Nothing Then
'The user entered an invalid username...
LoginErrorDetails.Text = "There is no user in the database with the username " &
Login1.UserName
'The password is only supplied if the user enters an invalid username or invalid password
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue =
Login1.Password
Else
'See if the user is locked out or not approved
If Not userInfo.IsApproved Then
LoginErrorDetails.Text = "Your account has not yet been approved by the site's
administrators. Please try again later..."
ElseIf userInfo.IsLockedOut Then
LoginErrorDetails.Text = "Your account has been locked out because of a maximum
number of incorrect login attempts. You will NOT be able to login until you contact a site
administrator and have your account unlocked."
Else
'The password was incorrect (don't show anything, the Login control already describes
the problem)
LoginErrorDetails.Text = String.Empty
'The password is only supplied if the user enters an invalid username or invalid
password
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue =
Login1.Password
End If
End If
'Add a new record to the InvalidCredentialsLog table
InvalidCredentialsLogDataSource.Insert()
End Sub
此外,我还构建了一个报告页面,在一个可分页、排序的GridView控件.如下所示,该页面也包含在下载内容里
.
图4:
就一般的网站而言,该InvalidCredentialsLog表可能会很大。我们可以采取一些措施来将超过某个时间的老的记录删除(比如3个月前的记录)。上面显示出来的报告很简单,对大数据的结果也没有进行优化处理.它使用默认的分页,从数据库将每个页面的数据都检索出来。如果想自定义分页,仅仅检索当前页面所需要的记录,请参阅文章《Custom Paging in ASP.NET 2.0 with SQL Server 2005》(http://aspnet.4guysfromrolla.com/articles/031506-1.aspx)
结语:
本文,我们看如何对登录过程进行优化,当被锁定或未为被审批的用户登录时显示更有意义的信息.这都要感谢Membership API,它可以通过编程、显式地(通过数据源控件)、或Web控件(比如Login Web控件)来访问.在下载代码里有一个Admin页面,它用一个GridView控件将系统的所有用户列出来,允许用户查看其审批状态、将锁定的用户解锁、查看某人用户是否是Administrator角色(只有Administrator角色才能查看与管理相关的页面)
祝编程快乐!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 考察 ASP.NET 2.0的Membership, Roles, and Profile - Part 3
- 考察ASP.NET 2.0的Membership, Roles, and Profile - Part 7
- 【转贴】考察ASP.NET 2.0中的Membership, Roles, and Profile - Part 5
- 考察ASP.NET 2.0中的Membership, Roles, and Profile - Part 5
- 【转贴】考察ASP.NET 2.0的Membership, Roles, and Profile - Part 7
- 【转贴】考察ASP.NET 2.0的Membership, Roles和Profile - Part 9
- 考察ASP.NET 2.0的Membership, Roles,Profile - Part 8
- 【转贴】考察 ASP.NET 2.0的Membership, Roles, and Profile - Part 4
- 考察ASP.NET 2.0的Membership, Roles和Profile - Part 9
- 【转贴】考察ASP.NET 2.0的Membership, Roles,Profile - Part 6
- 考察ASP.NET 2.0的Membership, Roles,Profile - Part 6
- 【转贴】考察ASP.NET 2.0的Membership, Roles,Profile - Part 8
- 考察ASP.NET 2.0的Membership, Roles,Profile
- 考察ASP.NET 2.0的Membership, Roles和Profile
- 【转贴】考察ASP.NET 2.0Membership,Roles,Profile - Part 1
- ASP.NET 2.0 Security, Membership and Roles Tutorials
- 考察ASP.NET 2.0Membership,Roles,Profile - Part 1
- ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources
- ASP.NET 2.0 Membership and Roles Tutorial Series
- ASP.NET 成员资格 Part.5(Membership 类)