ASP.Net会话超时检测：是Session.IsNewSession和SessionCookie检测做到这一点的最好方法是什么？ [英] ASP.Net Session Timeout detection: Is Session.IsNewSession and SessionCookie detection the best way to do this?

问题描述

当我ASP.Net会话超时（和窗体身份验证以及）和我试着打一个网页，我自动重定向到我的默认login.aspx的页面。

在页面加载，我需要确定这是否是一个超时情况，并在此之前 - 重定向到timeout.aspx

下面的文章规定，如果IsNewSession是真实的，一个sessionID的cookie存在 - 那么你有一个超时的情况

。

然而，在我的测试中我有，我超时的情况，并尝试重新登录和IsNewSession等于真实的SessionID的cookie仍然挂周围（因为它保持了整个浏览器会话），因此它说我'已经超时再当我只是想重新登录。

有没有更好的办法做到这一切的？

技术是描述下这里和<一个href=\"http://blogs.msdn.com/nikhiln/archive/2007/06/21/detecting-session-timeout-in-asp-net-2-0-web-applications.aspx\">here.

在我'的Global.asax文件我有：

 无效Application_ preRequestHandlerExecute（对象发件人，EventArgs的发送）
{
        //检查会话状态在web.config中启用
        如果（Context.Session == NULL）回报;        如果（会话[用户] == NULL）
        {
            如果（Session.IsNewSession）
            {
                的HttpCookie sessionCookie = Request.Cookies时[ASP.NET_SessionId];
                如果（（零= sessionCookie）及！＆放大器;！string.IsNullOrEmpty（sessionCookie.Value））
                {
                    /* 会话超时！ * /
                    FormsAuthentication.SignOut（）; //以防万一尚未
                    Session.Abandon（）;
                    的Response.Redirect（timeout.aspx）;
                }
                其他
                {
                    //饼干并不存在 - 必须是一个全新的登录
                    返回;
                }
            }
            其他
            {
                //如果没有会话数据和会话是不是新的，那么它必须是登录屏幕的回发。
                如果（（HttpContext.Current.Request.Path.ToLower（）LastIndexOf（/ login.aspx的）方式＆gt; = 0）及及（Request.HttpMethod ==POST））
                {
                    返回;
                }
            }
        }
}
 

解决方案

您正在尝试超时会话，会话被manully登出来区分？

您的问题是，因为会话数据没有了你所去的是一个新的请求进来创造了一个新的会话，并在未来的要求进行的会话ID的Cookie（这表明它已经在之前被记录）。

有两种方法。

的Cookie：

首先，在您的登录页面，你可以创建一个额外的cookie，指示用户的登录状态。当用户手动注销cookie的值被修改，以指示注销。会议后的请求已超时会除了有 IsNewSession 真正的还将有显示用户仍在登录，因此显示用户有没有登录状态的cookie手动选择注销。

数据库：

第二种方法是在数据库表中存储sessionIDs登录时状态一起。当登录成功进入的SessionID成LoggedOnSessions表。当用户手动注销时从表中删除的SessionID。因此您超时检测可以包括会话ID表中的一个查找，如果present这是一个超时（在这一点上你或许应该删除ID以及）。

有关家政的目的，您应该包括设置为比任何实际登录期间（例如周）长得多的到期日期时间字段。定期（例如，每周）的已过期表删除条目。

我的preference是数据库的方法，我恨设置Cookie，因为它惹恼我，该cookie被每个请求发送，但很少用到。

When my ASP.Net session times out (and forms authentication as well) and I try to hit a page, I am automatically redirected to my default login.aspx page.

Before the page loads I need to determine whether this is a timeout situation and if so - redirect to timeout.aspx.

The articles below specify that if IsNewSession is true, and a sessionID cookie exists - then you have a timeout situation.

However in my testing I have the situation where I timeout and try to log back in again and IsNewSession is equal to true and the sessionId cookie is still hanging around (because it stays for a entire browser session), therefore it says I've timed-out again when I'm just trying to log back in.

Is there a better way to do all this?

Technique is decribed here and here.

In my 'global.asax' file I have:

void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
        // Check if session state is enabled in web.config
        if (Context.Session == null) return;

        if (Session["user"] == null) 
        {
            if (Session.IsNewSession)
            {                    
                HttpCookie sessionCookie = Request.Cookies["ASP.NET_SessionId"];
                if ((null != sessionCookie) && !string.IsNullOrEmpty(sessionCookie.Value))
                {
                    /* Session Timeout! */
                    FormsAuthentication.SignOut(); //just in case not done yet
                    Session.Abandon();
                    Response.Redirect("timeout.aspx");
                }
                else
                {
                    // Cookie didn't exist - must be a brand new login
                    return;
                }
            }
            else
            {
                // If there is no session data and the session is not new then it must be the postback of the login screen.
                if ((HttpContext.Current.Request.Path.ToLower().LastIndexOf("/login.aspx") >= 0) && (Request.HttpMethod == "POST"))
                {
                    return;
                }
            }
        }    
}

解决方案

You are trying to distinguish between a timeout session and a session that was manully logged out?

Your problem is that since the session data is gone all you have to go on is that a new request coming in has created a new session and the request coming in carries a session ID cookie (indicating that it had been logged in before).

There are two approaches.

Cookie:

First in your login page you could create an additional cookie that indicates the login status of the user. When the user manually logs out the cookie value is modified to indicate the logout. A request after a session has timed out will in addition to having IsNewSession true will also have a login status cookie showing the user is still logged in, thus indicating the user hadn't manually chosen to logout.

Database:

A second approach is to store sessionIDs in a DB table along with logged in status. When a logon is successful enter the sessionID into a LoggedOnSessions table. When the user manually logs off delete the sessionID from the table. Hence your timeout detection can include a look up of the session ID in the table if present it was a timeout (at this point you should probably remove the ID as well).

For housekeeping purposes you should include an expiry datetime field which is set for much longer than any realistic logon period (a week for example). On a regular basis (e.g., weekly) delete entries in the table that have expired.

My preference is the database approach I hate setting cookies because it irks me that that cookie is being sent with every request but is rarely needed.

这篇关于ASP.Net会话超时检测：是Session.IsNewSession和SessionCookie检测做到这一点的最好方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！