Saturday, 15 August 2015

delegates - ASP.NET Web API - Passing a UserToken(string) to a LoginController using a DelegatingHandler -


I have an ASP.NET Web API project and the user name and password will be sent to the http header at the initial user login Validate by the SSL and server

creates a database record with the server user ID, a random 64 character string (userToken), the date of expiration and customer IP address.

UserToken is then sent to the client and then stored in a cookie.

All requests later send usatokan to an http header and which calling IP address

In this way, the user name and password are sent only once, and using the UserToken All calls are logged.

I have made two custom representative render - login attestation handler, and token authentication handler - which processes HTTP headers and sends an appropriate 200 or 400 HTTP response.

////////////////

My only problem is that I want to return LoginAuthenticationHandler to userconcern in client too, so It can store cookies.

Sorry for: - << p>

Besides - I am new to this web API - so it may be the best place to do this - but youtubetokan This way, the login can be sent back to the controller.

Thanks for any input: -)

Some related posts:

/ //////////////

  public class LoginAuthenticationHandler: DelegatingHandler {public const string BasicScheme = "Basic"; Public Construction String Challenge AuthenticationHeaderName = "WWW-Authentication"; Public authority four authority headquarters = ':'; Protected Override Task & lt; Httpps Messages & gt; SendAsync (HttpRequestMessage request, cancellation token cancellation token) {// Get authorization HTT Header var authHeader = Request Header. Authorization; If (authHeader == tap) {// unauthorized return CreateUnauthorizedResponse (); } // Check if the original authentication (authHeader.Scheme! = BasicScheme) {// Unauthorized return CreateUnuthorizedResponse (); } // decode usernames + html header var encoded credentials = authHeader.Parameter password; Var credentialBytes = Convert.FromBase64String (Encoded Credentials); Var credentials = encoding ASCII.GetString (CredentialBoits); Var Credential PARTS = Credential Sample (Authority Headsipater); If (credentialParts.Length! = 2) {// unauthorized return CreateUnauthorizedResponse (); } Var Username = Credential Pars [0]. Trim (); Var Password = Credential Purses [1]. Trim (); // Username + password authenticate and UserTrun var user id = Return to new user (). GetUserIdFromUserNamePassword (username, password); If (userId == 0) {// unauthorized return CreateUnauthorizedResponse (); } // User is authorized - New UserType version ipadder = HTTPTEx. Current. request. Create user host adapter; Var userToken = new user (). CreateUserToken (ipAddress, userId); Return base Sdssink (request, cancellation token). Together with (Task => {var response = task.Result; // ======================== Users ====== ============================== = UserToken. HttpRequestMessage properties? Return response; // ========================================== ============}); } Private Static Tasks & lt; HTTPRPS Pormes & gt; CreateUnauthorizedResponse () {// Send back HTP unauthorized if authentication fails var response = new HttpResponseMessage (HttpStatusCode.Unauthorized); reaction. Header. Add (Challenge authentication header, basic scheme); Var workCompletionSource = new task end source & lt; HTTPRPS PSSMS & gt; (); TaskCompletionSource.SetResult (feedback); Return workgroup source. Task; Generally, HTTP services are stateless and the concept of login does not apply. . Login Controller is for MVC Controllers and not the Web API. What you are trying to do is not a good practice, even if it is technically possible.  

If you really want to do, then you should not think on the lines of sending the session data for the logged controller (which you call a user token), you write the cookie in response to your message handler. You can. See . You should keep the encrypted data in the cookie in that condition. You can make your own cookie and instead, you can use form certification and cookie with FA ticket. See.

BTW, this is possible and it is easy to cheat customer IP addresses.

No comments:

Post a Comment