如何在ASP.NET表单身份验证中同时进行滑动超时和绝对超时 [英] How to do both sliding and absolute timeout in asp.net forms authentication

问题描述

我有一个asp.net应用程序，该应用程序当前正在使用带有slideExpiration ="true"的表单身份验证.在web.config中，我们具有以下内容:

I have an asp.net application which is currently using forms authentication with slidingExpiration="true". In web.config, we have the following:

<authentication mode="Forms">
  <forms loginUrl="Mylogin.aspx" timeout="15" slidingExpiration="true"/>
</authentication>

这一切都符合规范:有效期为15分钟.但是，我们现在有一个新的安全性要求:即使他们一直处于活动状态"，用户也必须每24小时重新进行一次身份验证.换句话说，即使您在登录后连续24小时每分钟单击站点中的链接，在24小时后，您也会自动注销并重定向到登录页面.

This is all to spec: There is a sliding 15 minute expiration. However, we now have a new security requirement: Users must re-authenticate every 24 hours, even if they have been "active" the whole time. In other words, even if you clicked a link in the site every minute for 24 hours straight after logging in, after 24 hours, you will be automatically logged out and redirected to the login page.

但是slideExpriation仅是true/false.据我所知，没有两者"功能(例如，具有slideExpandationTimeout ="15"和absoluteExpirationTimeout ="1440").

But slidingExpriation is true/false only. There is no "both" feature (e.g. have slidingExpirationTimeout="15" and absoluteExpirationTimeout="1440") as far as I can tell.

除了使用我自己的解决方案之外，还有没有一种方法可以使用内置的表单身份验证来实现?

Except for rolling my own solution, is there a way to implement this using the built in forms authentication?

谢谢.

推荐答案

您可以在Global.asax文件中以用户会话开始时的当前时间开始一个新会话，然后对每个后续请求，将该会话的值与当前时间，直到> =当前时间为止.

You can start a new session with the current time when the user's session begins in the Global.asax file, then with every subsequent request, compare the session's value with the current time until it is >= to current time.

void Application_AcquireRequestState(object sender, EventArgs e)
{
    if (HttpContext.Current.Session != null)
    {
        DateTime started = (DateTime)HttpContext.Current.Session["SessionStarted"];
        DateTime current = DateTime.Now;
        double totalHours = started.Subtract(current).TotalHours;
        if (totalHours >= 24)
        {
            //end session
        }
    }
}

void Session_Start(object sender, EventArgs e) 
{
    // Code that runs when a new session is started
    Session["SessionStarted"] = DateTime.Now;
}

HttpApplication.AcquireRequestState事件

HttpApplication.AcquireRequestState Event

当ASP.NET获取与当前请求关联的当前状态(例如，会话状态)时发生.

Occurs when ASP.NET acquires the current state (for example, session state) that is associated with the current request.

这篇关于如何在ASP.NET表单身份验证中同时进行滑动超时和绝对超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！