在会话存储自定义主要的ASP.NET MVC问题 [英] Issues with storing the custom Principal in Session for ASP.NET MVC
问题描述
我正在与ASP.NET MVC一个问题,它强迫用户经过约20分钟闲置时间,来重新登录。
I am running into an issue with ASP.NET MVC where it is forcing the user to log back in after about 20 mins of inactivity.
我使用窗体身份验证,并增加在配置文件中的超时为:
I am using Forms Authentication and have increased the time-out in the config file as:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="9999999" />
</authentication>
我也设置在配置文件中的会话超时为:
I am also setting the session time-out in the config file as:
<sessionState timeout="120"></sessionState>
我立足这一关罗克福德Lhotka的CSLA ASP.NET MVC的例子,并已在我的Global.asax以下内容:
I am basing this off of Rockford Lhotka's CSLA ASP.NET MVC example and have the following in my global.asax:
protected void Application_AcquireRequestState(object sender, EventArgs e)
{
if (HttpContext.Current.Handler is IRequiresSessionState)
{
if (Csla.ApplicationContext.AuthenticationType == "Windows")
return;
System.Security.Principal.IPrincipal principal;
try
{
principal = (System.Security.Principal.IPrincipal)
HttpContext.Current.Session[MyMembershipProvider.SESSION_KEY];
}
catch
{
principal = null;
}
if (principal == null)
{
if (this.User.Identity.IsAuthenticated && this.User.Identity is FormsIdentity)
{
// no principal in session, but ASP.NET token
// still valid - so sign out ASP.NET
FormsAuthentication.SignOut();
this.Response.Redirect(this.Request.Url.PathAndQuery);
}
// didn't get a principal from Session, so
// set it to an unauthenticted PTPrincipal
BusinessPrincipal.Logout();
}
else
{
// use the principal from Session
Csla.ApplicationContext.User = principal;
}
}
}
从我可以告诉它应该120分钟活动后唯一一次出...但由于某种原因,它似乎总是超时20分钟内之后。我知道知道为什么发生这种情况,任何想法?
From what I can tell it should ONLY time-out after 120 minutes of inactivity ... but for some reason it always seems to time-out after 20 minutes of inactivity. I have know idea why this is happening, any ideas?
我与刚刚倾倒窗体身份验证,并通过会话处理它自己的想法玩弄,但我怕像[授权]属性等我会失去功能。尽量不走这条路。
I am toying with the idea of just dumping Forms Authentication and handling it myself via Session, but I'm afraid I would lose functionality like [Authorize] attributes and so on. Trying not to go down this path.
是否有可能我的自定义主体对象存储为一个cookie?我只是不希望有认证/授权为每一个页面或操作的用户。
Is it possible to store my custom principal object as a cookie? I just don't want to have to authenticate/authorize a user for every single page or action.
我失去了头发......很快! =)
I'm losing hair ... rapidly! =)
推荐答案
混合FormsAuthentication的关切SessionState会仅仅是在许多层面上是一个坏主意,因为你是从你所得到的答案注意到。
Mixing concerns of FormsAuthentication with SessionState is just a bad idea on many levels, as you are noticing from the answers you are getting.
如果您的描述自定义主体的信息是小,我建议将其存储在形式车票的UserData成员。也就是说它是有什么。
If the information describing your custom principal is small, I would suggest storing it in the UserData member of the forms ticket. That is what it is there for.
那么你的自定义数据,这是唯一凭有效客票有效,存储与车票。
Then your custom data, which is only valid with a valid ticket, is stored with the ticket.
解决了很多问题和MUCHO $ C $ C消除。
Many problems solved and mucho code obviated.
<一个href=\"http://stackoverflow.com/questions/996588/how-to-set-asp-net-authenticated-properties/2357892#2357892\">Here是一个辅助类,它可以帮助您与您的车票。
Here is a helper class that can help you with your ticket.
警告:在实践中,最大的HTTP cookie大小略低于官方4K限制和加密削减,在大约一半。
CAVEAT: In practice the max http cookie size is just shy of the official 4k limit and Encryption cuts that in half approximately.
如果你能保证你的机票,包括主要的数据将适合与LT; 2K你要善于去。创建自定义序列化你的本金可以提供帮助,例如name = value对的伟大工程,如果您的数据将合作。
If you can ensure that your ticket, including principal data will fit into <2k you should be good to go. Creating a custom serialization for your principal can help, e.g. name=value pairs works great if your data will cooperate.
祝你好运。
这篇关于在会话存储自定义主要的ASP.NET MVC问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
