ASP.net Web Pages stack comes with Simple Membership, of which the best explanation is Matthew Osborn's Using SimpleMembership. SimpleMembership is a lightweight user/login/membership system which allows a cookie to be used for "remember me" login purposes. I would like to improve the the security of the cookie by forcing the开发者_JAVA技巧 cookie to be httpOnly and be a secure (https only) cookie. How can I do this?
Update: @Darin Dimitrov pointed out that httpOnly is session only which is not what I want.
If you don't use a persistent cookie that would mean that the cookie is no longer stored on the client computer which kind of defeats the whole purpose of the remember me functionality. HttpOnly
cookies are stored in the memory of the browser but only for the given session. In order to improve security make sure that the cookie is set with the secure flag which indicates that this cookie will be transmitted only over an encrypted connection.
If that applies to you, I suggest to have a look at the source code and see how it's done: http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/9c98c6e9a150#src%2fWebMatrix.WebData%2fWebSecurity.cs
Now that I've checked myself... :) this is how they look as of now:
public static bool Login(string userName, string password, bool persistCookie = false)
{
VerifyProvider();
bool success = Membership.ValidateUser(userName, password);
if (success)
{
FormsAuthentication.SetAuthCookie(userName, persistCookie);
}
return success;
}
public static void Logout()
{
VerifyProvider();
FormsAuthentication.SignOut();
}
Where Membership provides about the same API as the System.Web.Security.Membersip -- which is actually swapped with WebMatrix.WebData.SimpleMembershipProvider at startup.
Basically if you want a custom auth cookie mechanism you've got to implement your own login & logout logic. The web has plenty of samples in that direction.
I hope this helps a bit. Good luck! :)
精彩评论