替代基于Cookie的会话/认证
有没有在servicestack会议功能插件的方法吗?在某些情况下,我不能使用Cookie的会话授权在我服务的实现相匹配。有没有解决使用请求的HTTP头中的令牌会话的可能性?是什么使preferred解决方案的情况下,浏览器阻止了Cookie?
Is there an alternative to the session feature plugin in servicestack? In some scenarios I cannot use cookies to match the authorized session in my service implementation. Is there a possibility to resolve the session using a token in http header of the request? What is the preferred solution for that in case the browser is blocking cookies?
我使用ServiceStack没有内置的身份验证和会话提供商。
I'm using ServiceStack without the built-in auth and session providers.
我用的属性按要求过滤器收集用户信息(ID和令牌),无论是从一个cookie,请求头或者字符串参数。
用户需要登录后,您可以提供此信息。您添加一个新的cookie来响应,并注入上客户方的ID和令牌信息渲染视图,使您可以使用HTTP头和查询参数的链接。
I use a attribute as request filter to collect the user information (id and token), either from a cookie, request header or string parameter. You can provide this information after the user takes login. You append a new cookie to the response and inject the id and token info on clientside when rendering the view, so you can use for http headers and query parameters for links.
public class AuthenticationAttribute : Attribute, IHasRequestFilter
{
public void RequestFilter(IHttpRequest request, IHttpResponse response, object dto)
{
var userAuth = new UserAuth { };
if(!string.IsNullOrWhiteSpace(request.GetCookieValue("auth"))
{
userAuth = (UserAuth)request.GetCookieValue("auth");
}
else if (!string.IsNullOrEmpty(request.Headers.Get("auth-key")) &&
!string.IsNullOrEmpty(request.Headers.Get("auth-id")))
{
userAuth.Id = request.Headers.Get("id");
userAuth.Token = request.Headers.Get("token");
}
authenticationService.Authenticate(userAuth.Id, userAuth.token);
}
public IHasRequestFilter Copy()
{
return new AuthenticationAttribute();
}
public int Priority { get { return -3; } } // negative are executed before global requests
}
如果用户没有被授权,我重定向他在这一点上。
If the user isn't authorized, i redirect him at this point.
我的项目支持SPA。如果用户使用消耗xmlhtt prequests的API,认证的东西用头完成。我在注入时,页面加载AngularJS的信息,并重新使用它的所有请求(局部视图,API消费等)。 ServiceStack是强大的这种类型的东西,你可以轻松地配置您的应用程序AngularJS和ServiceStack视图引擎携手并肩,验证每一个请求,全球化您的应用程序等。
My project supports SPA. If the user consumes the API with xmlhttprequests, the authentication stuff is done with headers. I inject that information on AngularJS when the page is loaded, and reuse it on all request (partial views, api consuming, etc). ServiceStack is powerful for this type of stuff, you can easily configure your AngularJS app and ServiceStack view engine to work side by side, validating every requests, globalizing your app, etc.
如果你没有cookie和请求不被JavaScript调用,可以支持认证,而不饼干,如果你总是生成的链接传递ID和令牌作为查询参数,并通过隐藏的输入通过他们形式,例如
In case you don't have cookies and the requests aren't called by javascript, you can support the authentication without cookies if you always generate the links passing the id and token as query parameters, and pass them through hidden input on forms, for example.