ASP.NET Core 3.1/身份会话永远不会过期.如何让它在滑动过期时过期? [英] ASP.NET Core 3.1 / Identity session never expires. How can I get it to expire on sliding expiration?
问题描述
对我的网站进行的安全检查显示,会话(即登录)永不过期.我已经对自己进行了测试,并发现了同样的事实-今天早上,我在localhost上打开了该站点,但我仍然从昨天登录.我一直认为它会像.NET Framework应用程序中那样在20分钟后过期.
我正在使用ASP.NET Core Identity支架,除了实现两因素身份验证以外,所做的改动很小.
在我的Startup.cs中,我具有以下代码来添加会话支持:
services.AddSession(options =>{options.Cookie.IsEssential = true;options.IdleTimeout = TimeSpan.FromSeconds(10);options.Cookie.Expiration = TimeSpan.FromSeconds(10);}); 在IdentityOptions下我看不到任何与登录超时有关的代码.
在登录页面上,我专门对所有记住我"进行硬编码.将函数键入false:
等待_signInManager.SignInWithClaimsAsync(user,isPersistent:false,Claims);
如何让登录会话在约20分钟后过期,就像它们在.NET Framework中自动发生的那样?
对于这个问题,我基本上有完全相反的问题: asp.net-core2.0用户自动注销20-30分钟后
这里的大多数问题似乎都在询问如何增加超时时间,但我需要将其从(看似)无限减少到20分钟左右:
我发现我必须在Startup.cs中添加以下代码来设置ApplicationCookie的到期时间:
services.ConfigureApplicationCookie(options => options.ExpireTimeSpan = TimeSpan.FromMinutes(20));
我首先使用.FromSeconds(10)对其进行了测试,然后在10秒后退出.
A security check of my website showed that sessions (i.e. login) never expire. I've tested myself and I find the same - I opened up the site on localhost this morning and I'm still signed in from yesterday. I always assumed it would expire after 20 minutes like it would in .NET Framework apps.
I'm using the ASP.NET Core Identity scaffolding with minimal changes other than implementing two factor authentication.
In my Startup.cs I have the following code to add session support:
services.AddSession(options =>
{
options.Cookie.IsEssential = true;
options.IdleTimeout = TimeSpan.FromSeconds(10);
options.Cookie.Expiration = TimeSpan.FromSeconds(10);
});
I can't see any code relating to login timout under IdentityOptions.
On the login page, I'm specifically hardcoding any "remember me" type function to false:
await _signInManager.SignInWithClaimsAsync(user, isPersistent: false, claims);
How can I make my login sessions expire after ~20 minutes like they do automatically in .NET Framework?
I basically have the exact opposite problem to the one mentioned in this question: asp.net-core2.0 user auto logoff after 20-30 min
Most questions on here seems to be asking how to increase the timeout, but I need it decreased from (seemingly) infinite to 20 minutes or so:
I found that I had to add the following code in Startup.cs to set the ApplicationCookie expiration time:
services.ConfigureApplicationCookie(options => options.ExpireTimeSpan = TimeSpan.FromMinutes(20));
I tested it using .FromSeconds(10) first and I get logged out after 10 seconds.
The documentation for this function is here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-3.1#cookie-settings
这篇关于ASP.NET Core 3.1/身份会话永远不会过期.如何让它在滑动过期时过期?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
