Asp.net 形成身份验证 cookie 不遵守 IIS7 的超时 [英] Asp.net forms authentication cookie not honoring timeout with IIS7
问题描述
身份验证 cookie 似乎在短时间内(一天左右)后超时.我正在使用表单身份验证,并且在 web.config 中设置了带有 slipExpiration="false" 的 timeout="10080".使用该设置,cookie 应在用户成功通过身份验证后大约 7 天过期.
Authentication cookies seem to timeout after a short period of time (a day or so). I am using Forms Authentication and have the timeout="10080" with slidingExpiration="false" in the web.config. With that setting, the cookie should expire roughly 7 days after the user is successfully authenticated.
这与 IIS6 宣传的一样,但是当我将站点移至 IIS7 时,cookie 过期得更快.我已经在多台使用 IE 和 Firefox 的机器上确认了这种行为,这让我相信这是 IIS7 设置.
This worked as advertised with IIS6, but when I moved the site to IIS7, the cookie expires much quicker. I've confirmed this behavior on multiple machines with IE and Firefox, leading me to believe it's an IIS7 setting.
是否存在与身份验证相关的特定于 IIS7 的隐藏设置?除匿名用户跟踪外,网站的所有其他身份验证类型均已禁用.
Is there a hidden setting that is IIS7 specific related to authentication? All other authentication types are disabled for the website, except for anonymous user tracking.
推荐答案
身份验证 cookie 使用本地 web.config 或全局 machineKey 值加密代码>machine.config.如果没有明确设置这样的密钥,则会自动生成一个密钥,但它不会持久化到磁盘上——因此,每当应用程序重新启动或由于不活动而回收"时,它都会改变,并且新键将在下一次点击时创建.
The authentication cookie is encrypted using the machineKey value from the local web.config or the global machine.config. If no such key is explicitly set, a key will be automatically generated, but it is not persisted to disk – hence, it will change whenever the application is restarted or "recycled" due to inactivity, and a new key will be created on the next hit.
解决问题就像将 <machineKey> 配置部分添加到 web.config 或可能(最好?)添加到 机器一样简单.在服务器上配置(未经测试):
Resolving the problem is as easy as adding a <machineKey> configuration section to web.config, or possibly (preferably?) to the machine.config on the server (untested):
<system.web>
...
<machineKey
validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"/>
...
</system.web>
Google生成随机机器密钥可以为您生成此部分的网站.不过,如果您的应用程序处理机密信息,您可能希望自己创建密钥.
Google generate random machinekey for sites that can generate this section for you. If your application deals with confidential information, you might want to create the keys yourself, though.
这篇关于Asp.net 形成身份验证 cookie 不遵守 IIS7 的超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
