In a generic asp.net website with Membership, Roles and hashed passwords enabled, I would like to provide the administrators with impersonation so that they may browse the website as that user would. The website should function as if that user is logged on and then be able to revert to their own login.
在具有会员资格,角色和散列密码的通用asp.net网站中,我想向管理员提供模拟,以便他们可以像该用户一样浏览网站。该网站应该像该用户登录一样运行,然后能够恢复到他们自己的登录。
What is the best approach to achieve this?
实现这一目标的最佳方法是什么?
An example use-case: A website with two types of users: 'Buyer' and 'Admin'. The website provides a 'Purchase' button to buy something specifically provided to the user by the admins. i.e only that buyer can use the purchase button and make a payment. User has trouble so a support admin can 'impersonate' the user's login and purchase on their behalf or 'see' the trouble they are facing.
示例用例:具有两种类型用户的网站:“买方”和“管理员”。该网站提供了一个“购买”按钮,用于购买管理员专门提供给用户的内容。即只有买家才能使用购买按钮并付款。用户遇到问题,因此支持管理员可以“冒充”用户登录和代表他们购买或“看到”他们面临的问题。
Without impersonation, the only way is to allow this in code and that negates the purpose of 'seeing the user's issue'. Not even if I was not using hashed passwords and had used FormsAuthentication.SignOut() and manually logged in the admin as the user.
没有模仿,唯一的方法是在代码中允许这样做,否定“看到用户问题”的目的。即使我没有使用散列密码并且使用了FormsAuthentication.SignOut()并且以用户身份手动登录管理员。
I hope i am making sense above.
我希望我上面有道理。
2 个解决方案
#1
6
Take a look at this sample on codeproject.com. I think it does what you're looking for.
在codeproject.com上查看此示例。我认为它可以满足您的需求。
#2
1
I don't have the code we used to do this in front of me (assignment from a few years ago), but there are bits in the Membership API to sign someone in using code. I will not have access to the code until this weekend, unfortunately, or I could quickly share the bits and be done with this.
我没有在我面前执行此操作的代码(几年前的分配),但在Membership API中有一些位用于使用代码签名。不幸的是,直到本周末我才能访问代码,或者我可以快速分享这些内容并完成这项工作。
I do remember you had to get the user first, as a MembershipUser, using the Membership class. I am not sure, from this point, whether you had to validate against provider or what.We did use a custom provider, but I forget whether it was related to this solution.
我确实记得你必须首先使用Membership类作为MembershipUser来获取用户。从这一点来说,我不确定你是否必须验证提供商或者什么。我们确实使用了自定义提供商,但我忘记它是否与此解决方案有关。
Regardless, examine the security bits, focusing on membership and membershipUser.
无论如何,检查安全位,重点关注成员资格和成员资格。
#1
6
Take a look at this sample on codeproject.com. I think it does what you're looking for.
在codeproject.com上查看此示例。我认为它可以满足您的需求。
#2
1
I don't have the code we used to do this in front of me (assignment from a few years ago), but there are bits in the Membership API to sign someone in using code. I will not have access to the code until this weekend, unfortunately, or I could quickly share the bits and be done with this.
我没有在我面前执行此操作的代码(几年前的分配),但在Membership API中有一些位用于使用代码签名。不幸的是,直到本周末我才能访问代码,或者我可以快速分享这些内容并完成这项工作。
I do remember you had to get the user first, as a MembershipUser, using the Membership class. I am not sure, from this point, whether you had to validate against provider or what.We did use a custom provider, but I forget whether it was related to this solution.
我确实记得你必须首先使用Membership类作为MembershipUser来获取用户。从这一点来说,我不确定你是否必须验证提供商或者什么。我们确实使用了自定义提供商,但我忘记它是否与此解决方案有关。
Regardless, examine the security bits, focusing on membership and membershipUser.
无论如何,检查安全位,重点关注成员资格和成员资格。