MVC会话到期但不认证 [英] MVC session expiring but not authentication

问题描述

我正在开发一个C＃MVC应用程序，我似乎无法得到认证和会话超时同步。我有一个基本的窗体身份验证设置和一些有限的会话值。我设置了认证超时小于会话（28分钟比30），但对开发网络服务器上运行，该会议将在服务器重新启动被消灭而认证支左右。我假设的验证被存储在明显生存的重新启动服务器的cookie。

I'm developing a C# MVC application and I can't seem to get the Authentication and Session timeouts to synchronize. I have a basic Forms Authentication setup and some limited session values. I set the Authentication timeout less than the session (28 minutes vs 30) but running against the development web server, the session will be wiped on a restart of the server but the authentication sticks around. I'm assuming that the authentication is being stored in a cookie that obviously survives the server restart.

<authentication mode="Forms" >
  <forms loginUrl="~/Account/Login" timeout="28" />
</authentication>
<sessionState timeout="30" />

我想我要强制认证超时如果会话为空，然后要强制登录。

I think I want to force the the authentication to timeout if Session is null, to then force a login.

难道这就是我真正想要做什么？如果是如何以及在哪里办的？

Is that what I actually want to do? If so how and where do I do this?

如果没有，什么是处理这个问题的正确方法？

If not, what is the proper way to handle this?

修改

有关更多的透视我也贴了同样的项目这个问题：登录为...最好做法？

For more of a perspective I also posted this question for this same project: Login as... best practices?

推荐答案

我发现我的答案。覆盖授权属性。这似乎是最优雅的方式：

I found my answer. Override the Authorize attribute. This seems like the most elegant approach:

public class AuthorizeWithSessionAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext.Session == null || httpContext.Session["CurrentUser"] == null)
            return false;

        return base.AuthorizeCore(httpContext);
    }

}

这篇关于MVC会话到期但不认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！