ASP.NET Web API 授权令牌提前到期 [英] ASP.NET Web API Authorization tokens expiring early
问题描述
我已经为我的 web api(个人帐户)实现了安全性,正如所讨论的 这里.
I have implemented security for my web api (individual accounts) as discussed here.
我在 Godaddy(共享主机)上托管了该网站,并且运行良好.当我使用 url "domain.com/token" 请求令牌时,我得到了有效期为 15 天内的令牌.我已经使用
I have hosted the website on godaddy (shared hosting) and its working fine. When I ask for token by using url "domain.com/token", I get the token with expiration date of within 15 days. I have set this in "StartupAuth.cs" using
AccessTokenExpireTimeSpan = TimeSpan.FromDays(15)
例如:
{
"access_token":"qwertyuiop.....",
"token_type":"bearer",
"expires_in":1209599,
"userName":"user@example.com",
".issued":"Wed, 11 Feb 2015 01:00:00 GMT",
".expires":"Thu, 26 Feb 2015 01:00:00 GMT"
}
(我在上面的代码中输入了值,但您会了解.expires"字段.
(I put values in above code, but you get the idea of the ".expires" field.
获取令牌 5 分钟后,当我尝试通过传递授权来访问get"或post"或我的 API 中的任何方法时:标头中的不记名令牌:
5 minutes after getting the token, when I try and access "get" or "post" or any method in my API by passing authorization: bearer token in header as:
Authorization: Bearer qwertyuiop.....
我收到此错误:
{"Message":"Authorization has been denied for this request."}
虽然它只是 5 分钟,令牌应该持续 15 天,但它会在 5 分钟内到期.当我在 5 分钟的间隔内请求任何方法get"/post"时,我会得到正确的响应,我的数据是 JSON.总之,授权成功.
Although its just been 5 minutes and token is supposed to last 15 days, it expires within 5 minutes. When I request any method "get"/"post" within interval of 5 minutes, I get the proper response with my data in JSON. In short, authorization succeeds.
我通过 Fiddler、Chrome 的 REST 插件和使用 API 的移动应用对其进行了测试,重复了这种行为.
I have repeated this behavior by testing it via Fiddler, REST plugin of Chrome and via the mobile app which uses the API.
我有会话的 web.config 值如下(我认为它相关)
I have web.config values for session as below (I thought its related)
<sessionState timeout="180" />
请注意,不使用表单身份验证,因此不需要在 web.config 中的该部分超时.
Note that forms authentication is not used, so timeout on that section in web.config is not necessary.
知道发生了什么吗?此超时导致使用 API 的移动应用程序用户不时重新登录.任何帮助将不胜感激.
Any idea what's going on? This timeout is causing the users of mobile apps which use the API to re-login every now and then. Any help would be appreciated.
谢谢.
推荐答案
检查 WebServer,在 IIS 中可以在应用程序级别设置 Machine Key,每次应用程序池回收时都会生成一个新的 Machine Key,因此您需要一个新令牌.您可以在网站级别或根服务器级别设置机器密钥.也许这可能会有所帮助
Check the WebServer, In IIS the Machine Key can be set at the application level, every time the app pool recycles a new Machine Key is generated hence you need a new token. You can set the Machine key on the Website level or Root Server Level. Maybe this might help
这篇关于ASP.NET Web API 授权令牌提前到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
