如何注销ASP.NET Core Cookie身份验证中的所有用户? [英] How to logout all users in ASP.NET Core cookie authentication?

问题描述

我正在将ASP.NET Core MVC与CookieAuthentication一起使用.有没有一种方法可以一次注销所有用户?我尝试重置IIS-无法正常工作.我尝试删除所有用户的会话(我正在使用数据库进行会话存储)-无法正常工作.

I'm using ASP.NET Core MVC with CookieAuthentication. Is there a way I can sign all users out at once? I tried resetting IIS - didn't work. I tried deleting all the users' sessions (I'm using a database for session storage) - didn't work.

有什么想法吗?

推荐答案

使用CookieAuthentication，cookie只是包含用户名，角色和辅助数据的加密字符串.简而言之，它标识用户，而不是会话.终止会话不会使cookie无效.

With CookieAuthentication, the cookie is simply an encrypted string containing the user's name, roles, and auxilliary data. In short, it identifies the user, not the session. Killing sessions does not invalidate the cookie.

也就是说，您可以在cookie的辅助数据中填充会话标识符或其他令牌，然后在身份验证过程中对其进行验证.可以尝试以下操作的示例

That being said, you can stuff a session identifier or other token in the cookie's auxiliary data, and then validate that during the authentication process. An example of someone trying to this can be found here.

另一个选择是代替无效的会话，您可以暂时禁用用户存储库中的用户. 此处是使用ASPNET Identity 2.0的示例.

Another option is instead of invalidating sessions you can temporarily disable users in your user repository. Here is an example using ASPNET Identity 2.0.

第三个(核)选项是更改机器密钥所有Web服务器，这将使所有旧形式的身份验证Cookie都不可读，从而迫使所有用户再次登录.

A third (nuclear) option is to change the machine key on all web servers, which will render any old forms authentication cookies unreadable, forcing all users to sign on again.

这篇关于如何注销ASP.NET Core Cookie身份验证中的所有用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！