20-30分钟后，asp.net-core2.0用户自动注销 [英] asp.net-core2.0 user auto logoff after 20-30 min

问题描述

几天前，我决定将Web应用程序从asp.net core 1.1升级到core 2.0.进行较小的更改后，一切似乎都可以正常工作，除非身份验证的持续时间不超过20-30分钟.

Few days ago I have decided to upgrade my web app from asp.net core 1.1 to core 2.0. Everything seems to work fine after minor changes, except authentication does not persist longer than 20-30 minutes.

我们可以从Visual Studio中获取默认示例，因为我在自己的Web应用程序和"ASP.NET Core Web应用程序"-> .NET Framework 4.6.1 + ASP.NET Core 2.0 +中遇到了相同的问题. MVC +个人用户帐户.

We can take the default example from Visual Studio because I experience the same problem in my own webapp and in "ASP.NET Core Web Application" -> .NET Framework 4.6.1 + ASP.NET Core 2.0 + MVC + Individual User Accounts.

配置是默认设置，应该是用户登录14天:

Configuration is default and should be users logged in for 14 days:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    services.AddIdentity<ApplicationUser, IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();
...
    services.AddMvc();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
    app.UseAuthentication();
...
}

问题是用户只能保持登录20-30分钟.当用户登录(选择记住我")时，您可以浏览页面，甚至重新打开浏览器，用户仍保持登录状态.因此，身份验证cookie似乎可以正常工作.但是，在20-30分钟后，用户会自动注销，或者我应该说cookie过期了(我不知道会发生什么).您可以再次登录，游戏会重新开始.

The PROBLEM is that user only stays logged in for 20-30 minutes. When user logs in ("Remember me" is selected) you can navigate through pages, and even reopen the browser, user stays logged in. Thus it seems authentication cookie is working. However, after 20-30 minutes user is logged out automatically, or should I say cookie expires (I do not know what happens). You can login again, and the game starts all over again.

我尝试设置应用程序cookie的到期时间，但这不能解决问题:

I have tried setting Application cookie expiration, but this does not solve the problem:

services.ConfigureApplicationCookie(options => {
    options.ExpireTimeSpan = TimeSpan.FromDays(1); // Just shortens cookie expiration time, but still logs out users after 20-30 minutes.
});

由于需要20到30分钟，因此它看起来像默认会话超时:

Since it takes 20-30 minutes, it looks like default session timeout:

services.AddSession(options =>
{
    options.Cookie.Expiration = TimeSpan.FromDays(1); // This throws an error "Expiration cannot be set for the cookie defined by SessionOptions"
    options.IdleTimeout = TimeSpan.FromDays(1); // This changes session sliding expiration time... 
});

相同的实现在ASP.NET Core 1.1中运行良好.

The same implementation worked fine in ASP.NET Core 1.1.

推荐答案

好吧，那么我为此发送了很多论坛垃圾邮件:)这是我的发现.原始 https://github.com/aspnet/Identity/issues/1389

Ok then I have spammed different forums regarding this :) And here are my discoveries. Original https://github.com/aspnet/Identity/issues/1389

在我对这一切如何运作的理解上似乎有很大的差距.我还发现我撒了一点谎.所以像我这样愚蠢的人结束了.

It seems there was a big gap in my understanding about how does this all work. I also found that I have lied a little. So to finish up for other as stupid as me.

services.AddIdentity<ApplicationUser, IdentityRole>()
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();
services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromSeconds(10));
services.AddAuthentication()
    .Services.ConfigureApplicationCookie(options =>
    {
        options.SlidingExpiration = true;
        options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
    });

根据我的理解，这是这样的:

According my understanding this works like this:

• 检查用户是否已登录大约每10秒发生一次，具体取决于请求比率.服务器在对服务器options.ValidationInterval = TimeSpan.FromSeconds(10))的每个请求中都会检查安全性戳.

• the check if user is logged happens ~every 10 seconds, depending on requests ratio. Server checks security stamps upon every request to the server options.ValidationInterval = TimeSpan.FromSeconds(10)).

Cookie至少在30分钟内有效options.ExpireTimeSpan = TimeSpan.FromMinutes(30);，但是如果刷新或导航页面，则可以用options.SlidingExpiration = true;进行扩展.

cookie is valid at minimum for 30 minutes options.ExpireTimeSpan = TimeSpan.FromMinutes(30);, but can be extended with options.SlidingExpiration = true; if page is refreshed or navigated.

重要！不要像我一样聪明"，也不要在成功登录后立即运行_userManager.UpdateSecurityStampAsync(user);.因为这将更新安全戳，并且下一个验证验证将失败.

important! do not be too "smart" like me and do no run _userManager.UpdateSecurityStampAsync(user); just after successful login. Because this updates security stamp and next validation validation will fail.

这篇关于20-30分钟后，asp.net-core2.0用户自动注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！