为什么我的表单身份验证票过期这么快? [英] Why are my forms authentication tickets expiring so fast?

问题描述

我在ASP.NET应用程序中使用表单身份验证.我将FormsAuthenticationTicket配置为在1年后过期，但实际上在1小时左右后过期.我不知道为什么.

I'm using forms authentication in an ASP.NET application. I configure the FormsAuthenticationTicket to expire in 1 year but it actually expires after 1 hour or so. I can't figure out why.

这是登录过程中涉及的所有代码:

Here is all the code involved in the login process:

public static bool Login(int id)
{
    try
    {
        string securityToken = UserHelper.AuthenticateUser(id);

        DateTime expiryDate = DateTime.Now.AddYears(1);
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
             1, id.ToString(), DateTime.Now, expiryDate, true,
             securityToken, FormsAuthentication.FormsCookiePath);

        string encryptedTicket = FormsAuthentication.Encrypt(ticket);
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
        cookie.Expires = expiryDate;

        HttpContext.Current.Response.Cookies.Add(cookie);

        return true;
    }
    catch
    {
        return false;
    }
}

Web.config:

Web.config:

<system.web>
    <machineKey validationKey="AutoGenerate"
    decryptionKey="AutoGenerate" validation="SHA1" />
    <compilation debug="true">
    <authentication mode="Forms">
        <forms loginUrl="~/Login.aspx" timeout="2880"/>
    </authentication>
...

我的方法有问题吗?为什么到期这么快?

Is something wrong with my approach? Why is it expiring so fast?

编辑

Global.asax代码:

Global.asax code:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    if (Request.PhysicalPath.EndsWith(".aspx") || Request.PhysicalPath.EndsWith(".axd") || Request.PhysicalPath.EndsWith(".ashx"))
        SecurityManager.SetPrincipal();
}

SetPrincipal代码:

SetPrincipal Code:

public static void SetPrincipal()
{
    ILivrePrincipal principal = null;
    FormsIdentity identity;
    UrlParameters urlParameters = UrlParametersHelper.GetUrlParameters(HttpContext.Current.Request);

    if (HttpContext.Current.Request.IsAuthenticated)
    {
        identity = (FormsIdentity)HttpContext.Current.User.Identity;

        User userProfile;
        urlParameters.SecurityToken = (((FormsIdentity)identity).Ticket).UserData;
        try
        {
            userProfile = UserHelper.GetUser(urlParameters.SecurityToken);
            UserHelper.UpdateLastActiveOn(userProfile);
            principal = new AuthenticatedPrincipal(identity, userProfile);
        }
        catch
        {
            //TODO: Log an exception
            FormsAuthentication.SignOut();
            principal = new AnonymousPrincipal(new GuestIdentity(), UserHelper.GetUser(null));
        }
    }
    else
    {
        principal = new AnonymousPrincipal(new GuestIdentity(), UserHelper.GetUser(null));
    }

    HttpContext.Current.User = principal;
}

推荐答案

这是您的问题.

<machineKey validationKey="AutoGenerate" 
            decryptionKey="AutoGenerate" 
            validation="SHA1"/>

每次应用程序池回收时，ASP都会生成一个新的机器密钥.每小时都有可能发生这种情况.

ASP will generate a new machine key every time the app pool recycles. Which could reasonably happen every hour.

机器密钥用于加密和解密您的FormsAuthentication cookie.如果更改，则浏览器上的cookie不再有效.因此，系统会将您视为从未登录过.

The machine key is used to encrypt and decrypt your FormsAuthentication cookie. If it changes, the cookie on your browser is no longer any good. So the system will treat you as if you have never logged on.

尝试生成静态密钥并将其添加到配置文件中.应该看起来像这样:

Try generating a static key and adding it to the configuration file. Should look something like this:

<machineKey  
    validationKey="21F090935F6E49C2C797F69(snip)F1B72A7F0A281B"          
    decryptionKey="ABAA84D7EC4BB56D75D(snip)B8BF91CFCD64568A145BE59719F"
    validation="SHA1"
    decryption="AES"
/>

在此处生成密钥.

这篇关于为什么我的表单身份验证票过期这么快?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！