如何删除cookie asp.net核心授权 [英] How to remove cookies asp.net core authorization

问题描述

例如，我删除了该用户，但他具有cookie授权，也就是说，他无法按注销按钮并继续使用其帐户如何解决这种情况

for example I deleted the user but he has cookies authorization, that is, he can not press the logout button and continue to use with his account how to fix the situation

推荐答案

这是在删除用户访问权限时基于声明的身份验证的一般问题.由于其设计方式，并非在每次验证访问的请求上都访问该数据库.取而代之的是，经过密码签名的cookie被认为是事实的来源.因此，在数据库中删除访问权限后，该cookie仍然有效，在这种情况下，如何更新用户的cookie并非易事.由于它是存储在客户端的cookie，因此您也不能只是远程注销用户.

This is a general problem of claims based authentication when removing access for users. Due to how it is designed, the database is not accessed on every request to verify the access. Instead, the cryptographically signed cookie is considered to be the source of truth. So when the access is removed in the database, the cookie is still valid and it is not trivial how to update the user’s cookie in that case. Since it is a cookie that is stored on the client side, you also can’t just log out the user remotely.

但是，ASP.NET Core Identity中有一种机制可以强制执行cookie身份验证方案，以在一定时间间隔内重新验证身份.您可以在 Startup 的 ConfigureServices 方法中进行如下配置:

But there is a mechanism in ASP.NET Core Identity that enforces the cookie authentication scheme to re-validate an identity on a certain interval. You can configure this like this in your Startup’s ConfigureServices method:

services.Configure<SecurityStampValidatorOptions>(options =>
{
     options.ValidationInterval = TimeSpan.FromMinutes(10);
});

这会将间隔设置为10分钟.因此，每隔10分钟，将使用现有Cookie的用户进行验证，并发出新的Cookie.这个过程是完全沉默的，并且在幕后发生.

This would set the interval to 10 minutes. So every 10 minutes, a user accessing your site with an existing cookie would be validated, and a new cookie would be issued. This process is completely silent and happens behind the scenes.

根据要执行的严格程度，您将不得不进一步缩短此间隔.我通常建议您在一定的时间后仍然保留它.否则，您将无法达到缓存身份的目的.

Depending on how strictly you want to enforce this, you would have to lower this interval further. I would generally recommend you to still leave it at a certain duration. Otherwise you are defeating the purpose of the cached identity.

您还应该考虑如果用户仍然可以访问您的站点，这确实有多大的问题，以及删除用户的时间有多关键.根据您的应用程序的不同，您也不太可能会在关键操作中检索用户实体，因此在这种情况下这将自动失败，而无需通过删除cookie拒绝访问.

You should also consider how problematic it really is if a user still has access to your site, and how time critical a user removal would have to be. Depending on your application, it’s also not unlikely that you retrieve the user entity within your critical actions anyway, so this would automatically fail in this case, without you having to deny access by removing the cookie.

这篇关于如何删除cookie asp.net核心授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！