Cookie身份验证提前到期 [英] Cookie Authentication Early Expiration

问题描述

在我的ASP.NET MVC Core 2.0应用程序中，我已经设置为不使用身份使用cookie身份验证方案，因为我们拥有自己的后端身份验证存储和api.

In my ASP.NET MVC Core 2.0 application I have setup to use the cookie authentication scheme without using Identity as we have our own backend authentication storage and api.

每次都可以完美地进行身份验证和授权.

The authentication and authorization works perfectly every time.

但是，无论大约30分钟后登录/会话期满.您可以看到我们将身份验证Cookie和会话Cookie的超时设置为120分钟.

However, no matter what the login/session expires after approximately 30 minutes. You can see that we are setting the timeout to 120 minutes for both authentication cookie and session cookie.

申请信息:

• 平台:.Net 4.7.x(适用于Windows)
• 框架:Asp.Net Core 2.x
• IIS用作代理服务器

更新:将services.AddMemoryCache()替换为services.AddDistributedRedisCache(..)-测试以查看其工作原理

Update: Replaced services.AddMemoryCache() with services.AddDistributedRedisCache(..) - testing to see how this works

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddDistributedRedisCache(options =>
        {
            options.Configuration = "localhost";
            options.InstanceName = "CoreTestInstance";
        });

    services.AddAuthentication("CookieAuthenticationScheme")
        .AddCookie("CookieAuthenticationScheme", options => 
        {
            options.Cookie.Name = authSettings.Name;
            options.Cookie.HttpOnly = false;
            options.Cookie.Expiration = TimeSpan.FromMinutes(120);
            options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
            options.AccessDeniedPath = new PathString("/Errors/StatusCodeErrors/401");
            options.LoginPath = "/Account/Login";
        });
        // services.AddMemoryCache();
        services.AddSession(options =>
        {
            options.Cookie.Name = sessSettings.Name;
            options.Cookie.HttpOnly = false;
            options.IdleTimeout = TimeSpan.FromMinutes(120);
        });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseBrowserLink();
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Errors/Default");
    }
    app.UseStatusCodePagesWithRedirects("/Errors/StatusCodeErrors/{0}");
    app.UseStaticFiles();
    app.UseAuthentication();
    app.UseSession();
    app.UseMvc();
}

AccountController.cs

[HttpPost("Login")]
public async Task<IActionResult> Login(AccountModel model)
{
    var claims = new List<Claim>();
    claims.Add(new Claim(ClaimTypes.Name, model.UserName));
    claims.Add(new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String, model.UserName));

    var identity = new ClaimsIdentity(claims, "login");
    var principal = new ClaimsPrincipal(identity);
    await HttpContext.SignInAsync("CookieAuthenticationScheme", principal);
}

推荐答案

您正在使用与进程相关的内存中会话. IIS中的该过程就是您的应用程序池.默认情况下，一段时间后，应用程序池会自动回收.回收时，它会占用您的会话时间.

You're using in-memory sessions, which are tied to the process. That process in IIS is your App Pool. By default, the App Pool recycles automatically after a period of time. When it recycles, it takes your sessions with it.

使用永久会话存储:SQL Server，Redis等.(会话使用分布式缓存，因此设置持久性会话的方法是设置一个持久性分布式缓存存储.)

Use a persistent session store: SQL Server, Redis, etc. (Sessions use distributed cache, so the way you set up persistent sessions is to setup a persistent distributed cache store.)

这篇关于Cookie身份验证提前到期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！