Asp.net形成没有履行暂停时以IIS7身份验证cookie [英] Asp.net forms authentication cookie not honoring timeout with IIS7
问题描述
身份验证Cookie似乎很短的时间周期(一天左右)后超时。我使用窗体身份验证,并有超时=10080与slidingExpiration在web.config =假。通过该设置,该cookie过期需要大约7天,用户身份验证成功后。
Authentication cookies seem to timeout after a short period of time (a day or so). I am using Forms Authentication and have the timeout="10080" with slidingExpiration="false" in the web.config. With that setting, the cookie should expire roughly 7 days after the user is successfully authenticated.
这工作与IIS6广告,但是当我搬到现场IIS7,cookie的过期快得多。我已经证实了与IE和Firefox多台机器这种行为,导致我相信这是一个IIS7设置。
This worked as advertised with IIS6, but when I moved the site to IIS7, the cookie expires much quicker. I've confirmed this behavior on multiple machines with IE and Firefox, leading me to believe it's an IIS7 setting.
有一个隐藏的设置,是IIS7特定的认证有关?所有其他认证类型为网站残疾人,除了匿名用户跟踪。
Is there a hidden setting that is IIS7 specific related to authentication? All other authentication types are disabled for the website, except for anonymous user tracking.
推荐答案
身份验证Cookie使用来自本地网络的或全局的machineKey 值加密。配置的machine.config 。如果没有这样的关键是的明确的设置,一键会自动生成,但它不保存在磁盘上 - 因此,每当应用程序重新启动或回收由于不活动就会发生变化,以及新的密钥将在下击创建。
The authentication cookie is encrypted using the machineKey value from the local web.config or the global machine.config. If no such key is explicitly set, a key will be automatically generated, but it is not persisted to disk – hence, it will change whenever the application is restarted or "recycled" due to inactivity, and a new key will be created on the next hit.
解决这个问题,只需添加一样容易<的machineKey> 配置节的web.config 或可能(preferably?)到的machine.config 在服务器上(未经测试):
Resolving the problem is as easy as adding a <machineKey> configuration section to web.config, or possibly (preferably?) to the machine.config on the server (untested):
<system.web>
...
<machineKey
validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"/>
...
</system.web>
谷歌的随机生成的machineKey 的以网站可以生成此节为您服务。如果有机密信息的应用程序处理,你可能会想自己创建密钥,虽然。
Google generate random machinekey for sites that can generate this section for you. If your application deals with confidential information, you might want to create the keys yourself, though.
这篇关于Asp.net形成没有履行暂停时以IIS7身份验证cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
