asp.net饼干,认证和会话超时 [英] asp.net cookies, authentication and session timeouts
问题描述
我有一个使用窗体身份验证一个asp.net网站。有几件事情我一直在诸如用户名,用户ID,电子邮件等会议。
I have an asp.net website that uses forms authentication. There are a few things I keep in sessions like username, userID, email, etc.
我允许用户通过设置在验证cookie长有效期限保持登录到该网站。所以这是很常见的会话过期而用户通过身份认证。
I allow the user to stay logged into the website by setting a long expiration date on the authentication cookie. So it's very common for the session to expire while the user is still authenticated.
我遇到的问题是,有时用户的会话超时,但他们仍然验证。因此,例如,我的用户页面之一(这需要身份验证)会说欢迎迈克时,他们的会话处于活动状态,但一旦到期,便说:欢迎光临[空白]因为信息不再是在会话,但他们还在验证。
The problem I am running into is that sometimes the user's session times out but they're still authenticated. So for example, one of my user pages (which requires authentication) will say "Welcome Mike" when their session is active but once it expires it will say "Welcome [blank]" because the info is no longer in the session, yet they are still authenticated.
什么是处理这个问题的最好方法?我是否应该重新同步会话信息时,信息就不再出现?或者我应该将用户信息(用户名,用户ID,电子邮件)饼干并不担心会话超时?
What's the best way to handle this? Should I resync the session info when the info is no longer there? Or should I move the user info (username, userID, email) into cookies and not worry about session timeouts?
我不想会话长度设定为像60分钟或更长。 我要的是我的用户能够登录一次,而不必担心不必再次登录,直到他们明确注销。
I do not want to set the session length to something like 60 minutes or more. What i want is for my users to be able to login once and not worry about having to login again until they explicitly logout.
推荐答案
避免使用会话,你可以,如果你能逃脱不SEESION它使得多服务器部署qutie容易一点之多。也许,名称和电子邮件是容易候选饼干。这很容易假一的cookie,因此用户ID可能不取决于你的安全需求是一个好主意。
Avoid using session as much as you can, if you can get away without seesion it makes multi-server deployments qutie a bit easier. Probably, Name and email are easy candidates for cookies. It's easy to fake a cookie, so userID may not be a good idea depending on your security needs.
窗体身份验证cookie被加密,并可以额外的数据添加到这些Cookie(详情如下)。它可能容易被破解,但几乎没有一样容易简单的cookie。
The forms authentication cookies are encrypted and you can add extra data to those cookies (See details below). It's probably hackable but not nearly as easily as a simple cookie.
下面是code我在略作修改,以消除一些项目的具体细节,过去使用。在登录控件的loggedIn事件调用此。
Here is the code I have used in the past slightly modified to remove some project specific details. Call this in the LoggedIn event of the login control.
void AddUserIDToAuthCookie(string userID)
{
//There is no way to directly set the userdata portion of a FormAuthenticationTicket
//without re-writing the login portion of the Login control
//
//I find it easier to pull the cookie that the Login control inserted out
//and create a new cookie with the userdata set
HttpCookie authCookie = Response.Cookies[AUTH_COOKIE];
if(authCookie == null)
{
return;
}
Response.Cookies.Remove(AUTH_COOKIE);
FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(authCookie.Value);
var newTicket =
new FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration,
oldTicket.IsPersistent, userID, oldTicket.CookiePath);
authCookie.Value = FormsAuthentication.Encrypt(newTicket);
Response.Cookies.Add(authCookie);
}
仅供参考,我这个复制从旧的项目,并在这里编辑它来删除一些项目的具体位,所以它可能无法编译,但它会很接近。
FYI, I copied this from an old project and edited it here to remove some project specific bits, so it may not compile, but it'll be very close.
要获得ID在你的网页...
To get the ID in your webpage...
FormsAuthenticationTicket ticket = ((FormsIdentity) Page.User.Identity).Ticket;
string id = ticket.UserData;
我用这个机制来存储一个id这不是ASPNETDB用户数据的一部分。如果所有的身份数据由ASPNETDB处理,你可能只需要访问Page.User.Identity对象。
I used this mechanism to store an id that was not part of the aspnetdb user data. If all your identity data is handled by the aspnetdb, you may only need to access the Page.User.Identity object.
这篇关于asp.net饼干,认证和会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
