是否可以按用户设置ASP.NET Owin安全cookie的ExpireTimeSpan? [英] Is it possible to set an ASP.NET Owin security cookie's ExpireTimeSpan on a per-user basis?

问题描述

我们有一个使用Owin Cookie身份验证的ASP.NET MVC 5应用程序.目前，我们按照以下步骤设置Cookie身份验证:

We have an ASP.NET MVC 5 app using Owin cookie authentication. Currently, we set up cookie authentication as follows:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        var timeoutInMinutes = int.Parse(ConfigurationManager.AppSettings["cookie.timeout-minutes"]);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            AuthenticationMode = AuthenticationMode.Active,
            LoginPath = new PathString("/"),
            ExpireTimeSpan = TimeSpan.FromMinutes(timeoutInMinutes),
            SlidingExpiration = true,
            LogoutPath = new PathString("/Sessions/Logout")
        });
    }
}

我们有一项功能请求，允许我们的应用程序管理员自定义其组织内的会话超时.但是，上面的配置代码在MVC应用程序级别执行，并且我们的应用程序是多租户的.有谁知道在身份验证期间或通过覆盖某个地方的Owin管道事件来按用户设置用户会话的ExpireTimeSpan的方法吗?

We have a feature request to allow our application's admins to customize session timeouts within their organizations. However, the configuration code above executes at the MVC application level and our app is multi-tenant. Does anyone know of a way to set the ExpireTimeSpan of a user's session on a per-user basis, either during authentication or by overriding an Owin pipeline event somewhere?

提前谢谢！

推荐答案

身份验证选项包含一个名为Provider的属性.您可以将其设置为默认提供程序，并使用诸如OnResponseSignIn之类的方法替代之一来修改登录名的设置，或者可以实现自己的ICookieAuthenticationProvider并执行相同的操作.

The authentication options contains a property called Provider. You can either set this to the default provider and use one of the method overrides such as OnResponseSignIn to modify the settings of the login, or you could implement your own ICookieAuthenticationProvider and do the same.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    Provider = new CookieAuthenticationProvider
    {
        OnResponseSignIn = signInContext =>
        {
            var expireTimeSpan = TimeSpan.FromMinutes(15);

            if (signInContext.Properties.Dictionary["organization"] == "org-1")
            {
                expireTimeSpan = TimeSpan.FromMinutes(45);
            }

            signInContext.Properties.ExpiresUtc = DateTime.UtcNow.Add(expireTimeSpan);
        }
    }
});

您可以检查传入的声明以了解如何处理会话，也可以将自定义数据添加到登录呼叫中.

You could either check the incoming claim to see how the session should be handled or you could add custom data to your sign in call.

context.Authentication.SignIn(new AuthenticationProperties
{
    Dictionary =
    {
        { "organization", "org-3" }
    }
}, new ClaimsIdentity());

如果您确实需要，甚至可以在登录呼叫中设置ExpiresUtc，尽管最好将该逻辑留在身份验证提供程序中，以便于管理.

You could even set ExpiresUtc on the sign in call if you really wanted, though it might be best to leave that logic in the authentication provider so it's easier to manage.

这篇关于是否可以按用户设置ASP.NET Owin安全cookie的ExpireTimeSpan?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！