.NET Core 2.0中的持久性Auth cookie [英] Persistent Auth cookie in .net core 2.0

问题描述

最近，我在.net core 2.0中创建了我的新网站，并在身份验证中使用了永久性Cookie。我还在使用永久性文化cookie作为语言。

Recently I created my new website in .net core 2.0 and I'm using a persistent cookie in authentication. I'm also using persistent culture cookie for language.

我的网站托管在azure共享池中，我没有指定任何机器密钥。

my website hosted in azure shared pool and I didn't specify any machine key.

问题。
几个小时不活动（新浏览器）后重新打开网站时，我丢失了身份验证Cookie，我需要再次登录，但是文化cookie可以在上一个会话中使用。

Problem. When I re-open my website after few hours of inactivity (new browser) I lost my auth cookie and I need to log in again but culture cookie works as per the last session.

我还设置了 Application Insights可用性以保持我的应用程序热身（每10分钟从2个不同的位置ping网站）。

I also setup Application Insights availability to keep warm up my application (ping website in every 10 min from 2 different location).

LoginController

if (this.accountService.ValidateOTP(phoneNumber, otp))
        {
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.MobilePhone, phoneNumber),
                new Claim(ClaimTypes.Name, phoneNumber)
            };
            var userIdentity = new ClaimsIdentity("Custom");
            userIdentity.AddClaims(claims);
            ClaimsPrincipal userPrincipal = new ClaimsPrincipal(userIdentity);

            //await HttpContext.SignOutAsync("AnimalHubInstance");
            await HttpContext.SignInAsync(
                CookieAuthenticationDefaults.AuthenticationScheme,
                userPrincipal,
                new AuthenticationProperties
                {
                    IsPersistent = true,
                    ExpiresUtc = DateTime.Now.AddYears(1),
                });
}

启动

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(option =>
            {
                option.LoginPath = new PathString("/Account/Unauthorized");
                option.LogoutPath = new PathString("/Account/Logout");
                option.Cookie.Name = ".myAuth";
                option.ExpireTimeSpan = TimeSpan.FromDays(365);
                option.Cookie.Expiration = TimeSpan.FromDays(365);
            });

推荐答案

在几个小时不活动之后（新浏览器）重新打开网站时，我丢失了我的身份验证Cookie，需要登录

When I re-open my website after few hours of inactivity (new browser) I lost my auth cookie and I need to log in again but culture cookie works as per the last session.

您的文化cookie的值只是使用urlencoded。正如曾先生所说，用于散列和加密的机器密钥可能会在某些时候自动重新生成。我认为此问题是由您选择的定价层引起的。对于免费和共享层，您的应用程序将在共享基础结构上运行，并且资源有限（例如CPU时间，RAM，磁盘空间），并且没有 SLA 。

The value of your culture cookie is just urlencoded. As Tseng said that the machine key for hashing and encryption may automatically re-generate at some points. I assumed that this issue caused by the pricing tier you chose. For Free and Shared tier, you application would run on shared infrastructure and you only have the limited resources(e.g. CPU time, RAM, disk space) and no SLA.

应用程序服务限制：

< img src = https://i.stack.imgur.com/1DFuE.png alt =在此处输入图片描述>

此外，我试图重新启动网站并在本地回收应用程序池，身份验证cookie仍可以按预期工作。对于我在基本定价层下托管的网络应用，直到现在我都没有遇到此问题。

Moreover, I tried to restart the website and recycle the application pool on my local side, the authentication cookie could still work as expected. For my web app hosting under the basic pricing tier, I do not encounter this issue until now.

这篇关于.NET Core 2.0中的持久性Auth cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！