Asp.net身份过期会话Cookie [英] Asp.net Identity Expire Session Cookie
问题描述
我们正在使用MVC 5.2和 ASP.NET身份框架与窗体身份验证屏幕认证(用户放大器;口令组合),并标识使用Cookie持久。我在配置我的身份框架上设置身份验证cookie到30天届满启动方法,记住我这个作品时,用户选择就好了(IsPersistent = TRUE)。当IsPersistent = FALSE(用户选择,不要选择记住我)的会话cookie默认情况下创建。该会话cookie在Internet Explorer和FireFox中也伟大工程,在关闭浏览器cookie的丢失。在Chrome和Safari(也许其他浏览器太)有选择,以确保会话Cookie不丢失,在这种情况下,用户停留在记录,甚至在浏览器关闭并重新打开。
We are using MVC 5.2 and the ASP.NET Identity framework for authentication with a form authentication screen (user&password combo) and identity is persisted using a cookie. I have configuration in my startup method for the Identity framework to set the expiration on the authentication cookie to 30 days, this works just fine when the user selects to 'remember me' (IsPersistent = true). When IsPersistent = false (user elects not to select 'Remember me') a Session cookie is created by default. This session cookie works great in Internet Explorer and also FireFox, when the browser is closed the cookie is lost. In Chrome and Safari (and maybe other browsers too) there are options to ensure that session cookies are not lost, in this case the user stays logged in even when the browser is closed and re-opened.
我想周围的工作,以确保会话cookie不会永远持续,但在一个小时内被丢弃。如果帐户不是X分钟/小时,从来没有选择了记住我则用户身份被'拒绝'用,如果时间长度推移下一个请求的用户活跃,我也许可以通过检查来实现这一点。
I would like a work around to ensure that session cookies are not persisted forever but are discarded within an hour. I might be able to realize this by checking if the account is not active for X minutes/hours and the user never chose for 'Remember Me' then the users identity is 'rejected' with the next request if that time span elapses.
有没有人在他们的ASP.NET的身份实现创建周围的工作,以确保会话cookie X上的时间后,后端过期或也许有更好的方法来解决这个限制?也许这是可能做到这一点使用CookieAuthenticationProvider的自定义实现或手的过期日期/时间,用户要求,可以在某处ValidateIdentity过程进行检查?
Has anyone created a work around in their ASP.NET Identity implementation to ensure that session cookies are expired on the back end after X time or maybe there is a better way to work around this limitation? Maybe it is possible to do this using a custom implementation of the CookieAuthenticationProvider or hand an expiration date/time to the user claim which can be checked somewhere in the ValidateIdentity process?
任何想法将是巨大的。
先谢谢你,
-Igor
Any ideas would be great. Thank you in advance, -Igor
编辑 - 详细信息:
我的认证实现了2个基本模式(目前想不出更好的词)。我的实现是一个复选框记住我一个简单的用户名/密码的形式。复选框值传递给它传递给AuthenticationManager会签到::方法AuthenticationProperties对象的IsPersistent属性。
Edit - more information: My authentication implementation has 2 basic "modes" (can't think of a better word at the moment). My implementation is for a simple username/password form with a checkbox 'remember me'. The checkbox value is passed to the IsPersistent property of the AuthenticationProperties object which is passed to the AuthenticationManager::SignIn method.
-
用户要记住我创造与使用滑动过期设置30天到期长期居住的cookie。这使用户留浏览器会话的认证,并且没有超时由于与未访问的网站超过30天的异常活动。在我owin启动方法的设置反映了到期时间cookie是30天(CookieAuthenticationOptions.ExpireTimeSpan设置为30天)。这部作品无论浏览器平台(据我可以告诉)。
User wants to 'remember me' which creates a long lived cookie with an expiration of 30 days set using a sliding expiration. This enables the user to stay authenticated between browser sessions and there is no time out due to inactivity with the exception of not visiting the site for longer than 30 days. The settings in my owin startup method reflect that the expiration time for the cookie is 30 days (CookieAuthenticationOptions.ExpireTimeSpan set to 30 days). This works regardless of browser platform (as far as I can tell).
用户不希望记住我,有什么预期的行为应该是一个会话cookie创建时,关闭浏览器会话cookie从浏览器中删除。这的应的确保浏览器启动用户下一次未经过身份验证。当共享设备被用于像公众计算机,这是特别重要的。这个问题是不是所有的浏览器随时删除会话cookie,有的离开他们的目的,如果启用浏览器设置(Chrome是一个很好的例子)。会话cookie没有过期日期/时间,因此CookieAuthenticationOptions.ExpireTimeSpan没有影响这里。
这就是我要找的意见,因为我相信我能不能先一个谁遇到这一点。有可能是一种方法,使这种行为更安全的替代是什么都不做,可能留下一个会话cookie(这永不过期!)浏览器。
User does not want to 'remember me', what the expected behavior should be is a session cookie is created and when a browser is closed the session cookie is removed from the browser. This should ensure that the next time the browser is started the user is not authenticated. This is especially important when a shared device is being used like a public computer. The problem is not all browsers always delete session cookies, some leave them on purpose if a browser setting is enabled (Chrome is a good example). A session cookie does not have an expiration date/time so CookieAuthenticationOptions.ExpireTimeSpan has no affect here. This is where I am looking for advice as I am sure I can't be the first one who has come across this. There is probably a way to make this behavior more secure as the alternative is to do nothing and possibly leave a session cookie (which never expires!) on the browser.
推荐答案
身份已经嵌入到期时间的cookie数据,它是由OWIN检查。
Identity already embeds expiry time in the cookie data and it is checked by OWIN.
要限制cookie的生命启动设置: ExpireTimeSpan 来一个小时 ConfigureAuth 方法。 Auth.cs
To limit cookie life set ExpireTimeSpan to an hour in ConfigureAuth method in Startup.Auth.cs:
public void ConfigureAuth(IAppBuilder app)
{
// other stuff
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = TimeSpan.FromHours(1),
});
}
这将确保饼干会在一个小时内到期。
This will make sure cookies will expire in an hour.
这篇关于Asp.net身份过期会话Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
