ASP.net WebForms 中的 AzureAD 和 OpenIdConnect 会话过期 [英] AzureAD and OpenIdConnect session expiration in ASP.net WebForms
问题描述
我有一个 ASP.net WebForms 应用程序,我已根据本文将其配置为与 Azure Active Directory 和 OpenIDConnect 配合使用:http://www.cloudidentity.com/blog/2014/07/24/protecting-an-asp-net-webforms-app-with-openid-connect-and-azure-ad/
I have an ASP.net WebForms application, which I have configured to work with Azure Active Directory and OpenIDConnect based on this article: http://www.cloudidentity.com/blog/2014/07/24/protecting-an-asp-net-webforms-app-with-openid-connect-and-azure-ad/
一般来说,它工作正常.但有时,在长时间不活动后(例如填写一个大表单),用户会被重定向到应用程序的主页,并且表单中的数据会丢失.这当然很令人困惑.
Generally speaking, it works fine. But sometimes, after a longer period of inactivity (e.g. filling out a big form), the user is redirected to the main page of the app and his data from the form is lost. This is of course very confusing.
似乎在某个时候会话(令牌?)到期,需要重新进行身份验证.我能够跟踪 HTTP 302 到 https://login.windows.net/... at重定向的点.因此,它将证实我关于通过 AAD 重新进行身份验证的假设.
It seems that at some point the session (token?) expires and it needs to re-authenticate. I was able to track a HTTP 302 to https://login.windows.net/... at the point of the redirect. So it would confirm my assumption about re-authentication via AAD.
我无法确切说明这种情况发生的频率 - 对我而言,它似乎不是定期发生的.我试图通过删除 cookie AspNet.Cookies 和 ASP.NET_SessionId 来重现该行为,但它没有导致重定向.与应用程序交互只是自动重新创建了这些 cookie.
I cannot exactly tell how often this happens - for me it does not seem to be in regular intervals. I was trying to reproduce the behavior by deleting the cookies AspNet.Cookies and ASP.NET_SessionId but it did not cause the redirect. Interacting with the application just recreated those cookies automatically.
我的问题是:
- 是否有其他位置(本地存储?)保存有关登录的信息?
- 我如何(在后台悄悄地)确保会话/令牌有效?
推荐答案
在您的初始化代码中,假设您已按照链接的文章中的说明进行操作,则有这样一行,
In your initialisation code, assuming you've followed the instructions in the article you've linked, there's a line like so,
app.UseCookieAuthentication(new CookieAuthenticationOptions());
将身份验证委托给身份提供者时,您的应用程序仍会根据控制生命周期的身份验证结果丢弃一些 cookie.您可以根据您的要求调整这些设置......例如
When delegating authentication to an Identity Provider, your application still drops some cookies based on the authentication result that control lifetimes. You can tweak these settings to your requirements....e.g.
appBuilder.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType ="Cookies",
ExpireTimeSpan = TimeSpan.FromMinutes(60), // Expire after an hour
SlidingExpiration = true // use sliding expiration..
});
查看文档以了解您可以配置的内容 - https://docs.microsoft.com/en-us/previous-versions/aspnet/dn385599(v%3Dvs.113)
Have a look at the docs for the things you can configure - https://docs.microsoft.com/en-us/previous-versions/aspnet/dn385599(v%3Dvs.113)
此外,每当它认为需要与身份提供者交互时,就会引发一个事件,OpenIdConnectAuthenticationOptions 上的 Notifications 对象下可用的处理程序选项.您可能感兴趣的是 RedirectToIdentityProvider
Also, an event will be raised whenever it thinks it needs to interact with the Identity Provider, handler optoions available under the Notifications object on OpenIdConnectAuthenticationOptions. One you might be interested in is RedirectToIdentityProvider
private void ConfigureOpenIdConnect()
{
var openIdConnectAuthenticationOptions = new OpenIdConnectAuthenticationOptions
{
// the rest of your settings....then
Notifications =
new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider =
async context => await RedirectToIdentityProviderHandler(context)
},
UseTokenLifetime = false
};
}
private static Task RedirectToIdentityProviderHandler(
RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
// do some logging whenever you app is redirecting to the IDP
return Task.FromResult(0);
}
UseTokenLifetime 在这里很有趣,因为您的身份令牌有一个过期时间,默认情况下,应用程序中的 cookie 生命周期就是令牌的生命周期.如果您想自己控制 cookie 生存期(根据第一个代码片段),请在此处将其设置为 false 并自行明确控制.
UseTokenLifetime is interesting here, as your identity token has an expiration time and by default the cookie lifetime in the application is the life of the token. If you want to control the cookie lifetime yourself (as per the first code snippet), set this to false here and explicitly control this yourself.
您可以组合使用覆盖身份令牌生命周期、更长的 cookie 生命周期、将滑动到期时间设置为 true + 每当身份提供者发生重定向时进行一些登录.
You could use a combination of overriding the identity token lifetime, a longer cookie lifetime, setting sliding expiration to true + some logging on whenever Redirects happen to the Identity Provider.
显然,过度调整设置会增加攻击向量,因此请仔细考虑您的安全要求.
Obviously though, tweaking settings too much increases attack vector, so consider your security requirements carefully.
这篇关于ASP.net WebForms 中的 AzureAD 和 OpenIdConnect 会话过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
