如何使Web应用程序中的所有cookie失效 [英] How to invalidate all cookies in a web application

问题描述

如何简单地使所有类型的cookie(包括会话，身份验证等)无效.

How do I simply invalidate all kinds of cookies (including session, authentication, etc.).

即使我使用浏览器cookie管理器"删除了所有cookie并重置了IIS，它看起来仍然能够记住身份验证cookie并自动登录.

Even if I remove all cookies using "browser cookie manager" and reset IIS, it appears like, it is still able to remember authentication cookie and logs me in automatically.

顺便说一句，我们正在使用SQL Server会话和表单身份验证.

BTW, we are using SQL Server Session and Forms authentication.

如果我在一定的"持续时间内保持Web应用程序不变，它将使所有内容失效并使我重定向到登录名.

If I leave the web application untouched for "certain" duration of time, it invalidates everything and redirects me to login.

推荐答案

您可以保留GUID或其他一些标识符作为当前"值.

You can keep a GUID or some other identifier available as the "current" value.

此值可以包含在每个cookie值中.在全局处理程序中，可以通过确保所有cookie具有与服务器值相同的GUID来验证cookie.如果它们不匹配，则说明cookie是旧的"，不再有效.从那里按需继续操作(重定向到登录屏幕，提供错误消息等)

This value can be included in each of your cookie values. In your global handler, you can validate your cookies by ensuring that all of them have the same GUID as your server's value. If they don't match, then the cookies are "old" and are no longer any good. Proceed as you need from there (redirect to login screen, provide error message, etc.)

使用FormsAuthentication，在票证中包含自定义对象而不是使用现成的单行代码是一项额外的工作，但这还不错.

With FormsAuthentication, it's a little extra work to have a custom object in your ticket rather than using the out-of-the-box one-liners, but it's not too bad.

要使用户无效时，只需更改服务器上的GUID.

When you want to invalidate your users, just change the GUID on the server.

如果要按用户执行此操作，则将GUID存储在用户表中.如果只想同时使每个人全局失效，则只需在一个位置放置一个GUID即可.

If you want to do this per-user, you'd store the GUID in your user table. If you only want to globally invalidate everyone at the same time, you can just have a single GUID in one place.

这篇关于如何使Web应用程序中的所有cookie失效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！