asp.net cookie、身份验证和会话超时 [英] asp.net cookies, authentication and session timeouts
问题描述
我有一个使用表单身份验证的 asp.net 网站.我在会话中保留了一些内容,例如用户名、用户 ID、电子邮件等.
I have an asp.net website that uses forms authentication. There are a few things I keep in sessions like username, userID, email, etc.
我通过在身份验证 cookie 上设置一个长到期日期来允许用户保持登录网站.因此,会话在用户仍通过身份验证时过期是很常见的.
I allow the user to stay logged into the website by setting a long expiration date on the authentication cookie. So it's very common for the session to expire while the user is still authenticated.
我遇到的问题是有时用户的会话超时,但他们仍然通过身份验证.因此,例如,我的用户页面之一(需要身份验证)在会话处于活动状态时会说欢迎迈克",但一旦过期,它将说欢迎 [空白]",因为该信息不再存在于会话中,但是他们仍然经过身份验证.
The problem I am running into is that sometimes the user's session times out but they're still authenticated. So for example, one of my user pages (which requires authentication) will say "Welcome Mike" when their session is active but once it expires it will say "Welcome [blank]" because the info is no longer in the session, yet they are still authenticated.
处理这个问题的最佳方法是什么?当信息不再存在时,我应该重新同步会话信息吗?或者我应该将用户信息(用户名、用户 ID、电子邮件)移动到 cookie 中而不用担心会话超时?
What's the best way to handle this? Should I resync the session info when the info is no longer there? Or should I move the user info (username, userID, email) into cookies and not worry about session timeouts?
我不想将会话长度设置为 60 分钟或更长时间.我想要的是让我的用户能够登录一次,而不必担心在他们明确注销之前必须再次登录.
I do not want to set the session length to something like 60 minutes or more. What i want is for my users to be able to login once and not worry about having to login again until they explicitly logout.
推荐答案
尽可能地避免使用 session,如果你能在没有看到的情况下离开,它会使多服务器部署变得更容易一些.可能,姓名和电子邮件是 cookie 的简单候选者.伪造 cookie 很容易,因此根据您的安全需要,用户 ID 可能不是一个好主意.
Avoid using session as much as you can, if you can get away without seesion it makes multi-server deployments qutie a bit easier. Probably, Name and email are easy candidates for cookies. It's easy to fake a cookie, so userID may not be a good idea depending on your security needs.
表单身份验证 cookie 已加密,您可以向这些 cookie 添加额外数据(请参阅下面的详细信息).它可能是可破解的,但不像简单的 cookie 那样容易.
The forms authentication cookies are encrypted and you can add extra data to those cookies (See details below). It's probably hackable but not nearly as easily as a simple cookie.
这是我过去使用的代码,略有修改以删除一些项目特定的细节.在登录控件的 LoggedIn 事件中调用它.
Here is the code I have used in the past slightly modified to remove some project specific details. Call this in the LoggedIn event of the login control.
void AddUserIDToAuthCookie(string userID)
{
//There is no way to directly set the userdata portion of a FormAuthenticationTicket
//without re-writing the login portion of the Login control
//
//I find it easier to pull the cookie that the Login control inserted out
//and create a new cookie with the userdata set
HttpCookie authCookie = Response.Cookies[AUTH_COOKIE];
if(authCookie == null)
{
return;
}
Response.Cookies.Remove(AUTH_COOKIE);
FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(authCookie.Value);
var newTicket =
new FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration,
oldTicket.IsPersistent, userID, oldTicket.CookiePath);
authCookie.Value = FormsAuthentication.Encrypt(newTicket);
Response.Cookies.Add(authCookie);
}
仅供参考,我从一个旧项目中复制了它并在此处对其进行了编辑以删除一些项目特定的位,因此它可能无法编译,但它会非常接近.
FYI, I copied this from an old project and edited it here to remove some project specific bits, so it may not compile, but it'll be very close.
要在您的网页中获取 ID...
To get the ID in your webpage...
FormsAuthenticationTicket ticket = ((FormsIdentity) Page.User.Identity).Ticket;
string id = ticket.UserData;
我使用这种机制来存储一个不属于 aspnetdb 用户数据的 id.如果您的所有身份数据都由 aspnetdb 处理,您可能只需要访问 Page.User.Identity 对象.
I used this mechanism to store an id that was not part of the aspnetdb user data. If all your identity data is handled by the aspnetdb, you may only need to access the Page.User.Identity object.
这篇关于asp.net cookie、身份验证和会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
