asp web service: check if user is logged-in_问答_开发者

asp web service: check if user is logged-in

开发者 https://www.devze.com 2023-01-22 17:04 出处：网络

I\'m creating a web service that\'ll be called from a web form in asp.net. How does the开发者_如何学Python web service check if the user is logged-in and if it is the logged-in user that\'s actually r

相关专题：asmx asp.net

I'm creating a web service that'll be called from a web form in asp.net. How does the开发者_如何学Python web service check if the user is logged-in and if it is the logged-in user that's actually requesting the service?

thanks

It cannot. Since you're going to call the web service from ASP.NET, you're building a 3-tier application.

Tier 1 is the browser and tier 2 is ASP.NET web application. They share cookies and session variables, so ASP.NET can always authenticate the user. And you already know that.

Tier 3 is the web service. Communication between 2 and 3 is done over a different HTTP connection, sharing different cookies (actually none) and session variables (again, actually none because calls are stateless).

You then have no way to allow the web service on tier 3 to authenticate the client on tier 1.

HOWEVER...............

There is still a possibility, but only if your web service is local to your ASP.NET webapp. That's unlikely to occur, really, because web services are made for remote calls, not local calls. I don't think it's your case.

If this is a local web service, as djechelon suggests, They will share session state you are all set. Use djechelon's answer, ignore mine :)

If not: ask the larger question: what is stoping someone from calling your web service outside the context of your web app: using a tool like soapUI?

1) lock down your service (using WCF Security). http://msdn.microsoft.com/en-us/library/ms731925.aspx

2) create a local webservice that checks authentication/authorization, and calls the webservice: passing the authorization information.

This is one approach that values the operation the WS performs over redundant Webservice calls. It is your disgression if a WS that calls another fits your performance needs.

You can Enable Session in WebMethod like this:

 [WebMethod(EnableSession = true)]
        public string DoSomthing(string para)
        {
                   user = new SystemUser();
                    if (!user.Authenticate())
                    {//401 Unauthenicated}
        }

Authenticate Method:

 public  bool  Authenticate()
    {
        try
        {

            if (HttpContext.Current.Session["UName"] == null || HttpContext.Current.Session["Role"] == null)
            {
                return false;
            }
            else
            {
                this.Id = HttpContext.Current.Session["UName"].ToString();
                this.Role = (Core.Role)HttpContext.Current.Session["Role"];
                return true;
            }
        }
        catch (Exception ex)
        {
            throw new Exception("Authenticate",ex);
        }
    }