在窗体身份验证超时和会话超时差异 [英] Differences in forms auth timeout and session timeout

问题描述

会话状态超时使用该web.config中元素集

The session state timeout is set using this web.config element

<sessionState mode="InProc" cookieless="false" timeout="120" />

该窗体身份验证使用该web.config中的元素配置

The forms auth is configured using this web.config element

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH" 
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
  </authentication>
</system.web>

是什么在这些元素中指定的超时之间的区别？如果这两个是不同的，它如何运作的？

What is the difference between the timeouts specified in each of these elements? If both are different, how would it work?

推荐答案

一个会话开始每一个新的用户点击该网站时，不管他们是否是匿名的。验证已经很少做会话。

A session starts every time a new user hits the website, regardless of whether or not they are anonymous. Authentication has very little to do with Session.

认证超时是身份验证Cookie有利于用户的浏览器的时间量。一旦cookie过期，他们必须重新认证才能访问该网站上受保护的资源。

Authentication timeout is the amount of time that the authentication cookie is good for on the user's browser. Once the cookie expires, they must re-authenticate to access protected resources on the site.

所以，如果会话超时验证cookie之前 - 他们还在验证，但他们所有的会话变量消失，并可能在你的网站会导致错误，如果你没有在检查空值和其他条件的纪律所带来的缺失会议

So, if Session times out before the Authentication cookie - they are still authenticated, but all their session variables disappear, and may cause errors in your website if you are not disciplined in checking for nulls and other conditions brought about by missing session.

如果验证超时会话之前，那么所有的session变量仍然存在，但它们将不能够直到他们再次重新登录才能访问受保护的资源。

If Authentication times out before the session, then all their session variables will still exist, but they won't be able to access protected resources until they log back in again.

这篇关于在窗体身份验证超时和会话超时差异的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！