关于form验证的处理片断

        public virtual void SignIn(s_User user, bool createPersistentCookie)

        {

            var now = DateTime.UtcNow.ToLocalTime();



            //01 实例化一个form表单身份验证票证

            //FormsAuthenticationTicket(int version, string name, DateTime issueDate, DateTime expiration, bool isPersistent, string userData, string cookiePath);

            var ticket = new FormsAuthenticationTicket(

                1 /*version*/,                //票证的版本号

                user.Nickname,                //用户名

                now,                          //发生时间

                now.Add(_expirationTimeSpan), //过期时间，通常用FormsAuthentication.Timeout作默认值

                createPersistentCookie,       //true存储在cookie,false存储在url，这个用户选择，“记住我”

                user.Email,                   //用户数据，这里只保存了email

                FormsAuthentication.FormsCookiePath); //Cookie存放路径，通常用FormsAuthentication.FormsCookiePath作默认值



            //02 将票证加密成适合cookie保存的字符串

            string encryptedTicket = FormsAuthentication.Encrypt(ticket);



            //03 将加密后的字符串写入cookie  

            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

            cookie.HttpOnly = true; //不允许客户端脚本访问cookie,仅限http访问

            if (ticket.IsPersistent)//如果票证需要持久化，指定cookie过期时间

            {

                cookie.Expires = ticket.Expiration;

            }

            //使用https传输此cookie

            cookie.Secure = FormsAuthentication.RequireSSL;

            cookie.Path = FormsAuthentication.FormsCookiePath;

            if (FormsAuthentication.CookieDomain != null)

            {

                cookie.Domain = FormsAuthentication.CookieDomain;

            }



            _httpContext.Response.Cookies.Add(cookie);

            _cachedUser = user;



            //如果想用默认的方式处理，不写上面那么多：FormsAuthentication.SetAuthCookie(loginName, true);

       }



        //验证当前通过验证的用户

        public virtual s_User GetAuthenticatedUser()

        {

            //如果有缓存的用户，就返回缓存的用户  //如果是基于http会话级的生命周期注入方式，则是可以这样写的

            if (_cachedUser != null) return _cachedUser;





            if (_httpContext == null ||                     //如果httpContext为空

                _httpContext.Request == null ||             // 或httpContext.Request为空 Request.IsAuthenticated为假就返回 空

                !_httpContext.Request.IsAuthenticated ||    // 或或httpContext.Request.IsAuthenticated = false

                !(_httpContext.User.Identity is FormsIdentity)) //_httpContext.User.Identity的票证不是 FormsIdentity

            {

                return null;                                // 都返回null, 即用户验证失败 

            }



            //获取会话中的表单身份验证票证[这个user封装了读cookie,解密cookie，验证转换的过程]

            var formsIdentity = (FormsIdentity)_httpContext.User.Identity;



            //从formsIdentity.Ticket.UserData取email

            var userEmail = formsIdentity.Ticket.UserData;



            //如果email验证失败，则验证失败

            if (String.IsNullOrWhiteSpace(userEmail)) return null;



            //用email去查询数据库，获取user

            var user = _userService.GetUserByEmail(userEmail);



            //如果是合法用户，返回当前合法用户

            if (user != null && user.Active ) _cachedUser = user;

            return user; 

        }



        public virtual void SignOut()

        {

            _cachedUser = null;

            FormsAuthentication.SignOut();

        }