regenerateExpiredSessionId 未按预期工作 [英] regenerateExpiredSessionId not working as expected
问题描述
据我所知,根据 MSDN,regenerateExpiredSessionId="true" 指定当客户端指定过期的会话 ID 时将重新发出会话 ID.但是,这似乎不像描述的那样工作.
It is my understanding, according to the MSDN, that regenerateExpiredSessionId="true" specifies that the session ID will be reissued when an expired session ID is specified by the client. However, this does not seem to be working as described.
假设您有一个配置如下的应用程序:
Let's say you have an application configured as follows:
<sessionState
cookieless="AutoDetect"
regenerateExpiredSessionId="true" />
在其他地方,您有一个指向该应用程序中嵌入了过期会话 ID 的页面的链接:
And somewhere else, you have a link to a page in that application in which an expired session ID is embedded:
<p><a href="http://localhost/SessionStateTest/(S(3gxng155isp0ocvhveoklnqe))/Default.aspx">Here is a link!</a></p>
如果未启用 cookie 的浏览器点击该链接,会话 ID 不会重新发布.它正在从 URL 回收过期 ID 并创建使用此旧 ID 的新会话.
If a browser in which cookies are not enabled clicks on that link, the session ID is not reissued. It is recycling the expired ID from the URL and creating the new session with this old ID.
当然,如果多个 no-cookie 浏览器同时点击链接,它们都会共享同一个过期的会话 ID,这显然是一个安全问题.
Of course, if several no-cookie browsers click on the link simultaneously, they ALL share that same expired session ID, which is obviously a security issue.
regenerateExpiredSessionId="true" 难道不是应该防止用户无意中共享相同的会话状态吗?如果是这样,为什么在这种情况下框架没有按预期生成新的会话 ID?
Isn't regenerateExpiredSessionId="true" supposed to prevent users from inadvertently sharing the same session state? If so, why isn't the framework generating new session IDs as expected in this case?
推荐答案
你确定你的会话真的过期了吗?
Are you sure your session is actually expiring ?
如果您使用 Forms 身份验证,则其票证可能会在与会话不同的时间到期.(当您将滑动过期混入混合时会变得更加混乱)
If you are using Forms authentication, its ticket can expire at different time than the session. (gets more confusing when you throw sliding expiration into the mix)
要检查是否启用了 cookieless,只需在您认为会话已过期时查看 url...如果 url 票证的第二部分F(xydUI....)"在您再次登录时发生变化,但S(dysXy...)"保持不变,您知道您的会话刚刚更新并且尚未完全过期.
To check with cookieless enabled just look at the url when you think the session has expired... if the second part of the url ticket "F(xydUI....)" changes when you login again but the "S(dysXy...)" stays the same you know your session is just getting renewed and hasn't fully expired.
希望能帮到你
这篇关于regenerateExpiredSessionId 未按预期工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
