如何在IIS 7中的会话超时工作的? [英] How does the session timeout work in IIS 7?
问题描述
在web.config中,我将sessionState超时设置为20分钟。根据MSDN,这timeout指定的分钟数它被放弃前一会话处于空闲状态。在IIS 7,DefaultWebSite->会话述明─>的Cookie设置 - >超时自动填充了在web.config中设置超时值,这在我的情况是20分钟。此外,应用Pools-> DefaultAppPool->高级设置 - >的idleTimeout,我将它设置为10分钟。
In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
然后我做了两个测试:
初试:我登录我的web应用程序下午3:45,空转10分钟。在3:55 PM,我试图用我的应用程序,我被踢出。我想谈到的idleTimeout在发挥作用。
Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.
二测:我登录我的web应用程序下午4:00,在下午4:05,下午4:10,下午4:15和下午4:20与应用程式。我预计将在下午4:20被踢出。但我不是。我想在IIS 7中的会话状态超时(20分钟)是一个用户会话可以活动之前,Web代理挑战用户重新进行身份验证的时间的最大金额。显然从这个测试中,事实并非如此。任何人都可以解释给我吗?另外,我怎么能设置上述情况下超时?
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?
推荐答案
会话超时是一款侧滑超时即复位,每次访问服务器时,用户所配置的值。
Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.
应用程序空闲超时踢,如果有到过你的应用程序的那一段时间的请求。
The Application Idle time-out kicks in if there have been no requests to your application for that period of time.
因此,通常的情形是:
The usual scenarios is therefore:
Time | User A | User B | Session States
------+--------------+--------------+-------------------------------------------
12:00 | Visits Page1 | | A: New Session, Time-out: 20 minutes
12:02 | Visits Page2 | | A: Time-out reset: 20 minutes
12:10 | | Visits Page1 | A: Time-out: 12 min; B: New: 20 minutes
12:15 | | Visits Page2 | A: Time-out: 07 min; B: Time-out: 20 min
12:22 | | | A: times out; B: 13 min remaining
12:32 | | | Application Shuts Down (Idle time reached)
12:35 | Visits Page3 | | A: New Session Starts
如果用户A是12:22后返回到现场,他们将有一个完全新的会话,你已经存储在那里previously任何值将会丢失。
If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.
要确保会议持续了重新启动应用程序的唯一方法是配置无论是SessionState会服务或SQL会话状态,并确保你已经的配置machine.key 所以这就是每一次它不是自动生成的服务器重新启动。
The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.
如果您正在使用的身份验证标准的ASP.NET机制,那么ASP.NET将会发出两个cookie给每个用户:
If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:
- 身份验证令牌:由认证超时的设置控制,允许用户将自动登录到您的网站如果cookie没有过期,这可以是固定的或滑动的,默认为30分钟,这意味着它们的认证令牌可以用一个较长的空闲时间比他们的会议应对。
- 会话令牌:由会话超时设置控制,允许应用程序访问自己的生命周期中存储和访问单个用户的值 。
- Authentication Token: Controlled by the Authentication time-out setting, allows the user to be auto logged in to your site if the cookie hasn't expired, this can be fixed or sliding, and defaults to 30 minutes, which means their authentication token can cope with a longer "idle" period than their session.
- Session Token: Controlled by the Session Time-out setting, allows your application to store and access per-user values during the lifetime of their visit.
这两项饼干所使用的machineKey的加密 - 所以,如果你的应用程序回收并生成一个新的关键既不这些令牌可以解密,需要用户登录并创建一个新的会话
Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.
答复意见:
- 20分钟的会议超时涉及您放置在用户会话对象项目(的 HttpSessionState )使用
Session.Add(字符串对象)方法。 - 那要看情况。如果你已经正确配置machine.key ,认证令牌仍然是有效的,如果你的会议不再是是InProc,这些也将坚持通过重新启动应用程序,并且将仍然可读 - 见以上说明
- The 20 minute session time-out relates to items you've placed in the users session object (HttpSessionState) using the
Session.Add(string, object)method. - That depends. If you've correctly configured the machine.key, authentication tokens will still be valid, and if your sessions are no longer "InProc" these will also persist through application restarts and will still be readable - see notes above.
这篇关于如何在IIS 7中的会话超时工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
