Securing Cookies for Default MVC 5 Application

2019-07-07 11:46发布

I've started a new MVC 5 application in VS2013 (with Authentication = Individual User Accounts in the wizard).

I'm looking at my web.config file and it says:

    <authentication mode="None" />

However, I can clearly create an account and login to my site. So this is a little bit of a mystery. I have read that if I were using forms authentication, that I would need to mark my cookies SSL-only for my site to be secure (just got SSL working yesterday).

Is there an analogous step if my authentication mode is set to "None"?

What does "None" really mean in this context, since I can clearly authenticate to my site?

I'm hosting on Azure, if it makes a difference, but I assume it doesn't.

1条回答
不美不萌又怎样
2楼-- · 2019-07-07 12:27

MVC5 doesn't use forms authentication anymore. It uses OWIN middleware on asp.net identity framework to handle authentication stuff. You will be able to see authentication related configurations on Startup.Auth.cs file which is located on App_Start folder.

<authentication mode="None" />

Authentication mode set to None as you are using MVC5 Individual User Accounts (not any other old / forms authentication). That means old web.config authentication configurations no longer available on MVC5 with asp.net identity framework.

If you used MVC5 Windows Authentication, then authentication mode will be windows

<authentication mode="Windows" />

Nothing to worry about hosting on azure as we have been hosted and managing number of mvc5 Cookie Based Authentication applications on azure without any issues.

Also you will notice that there is another configuration on web.config as follow.

<modules>
  <remove name="FormsAuthentication" />
</modules>

This is for removing the HTTP module as no longer needed when using MVC5 individual user accounts authentication stuffs.

查看更多
登录 后发表回答