会话超时在 IIS 7 中如何工作? [英] How does the session timeout work in IIS 7?
问题描述
在 web.config 中,我将 sessionState 中的超时设置为 20 分钟.根据 MSDN,此超时指定会话在被放弃之前可以空闲的分钟数.在 IIS 7 中,DefaultWebSite->Session State->Cookie Settings->Time Out 自动填充了 web.config 中设置的超时值,在我的例子中是 20 分钟.另外,Application Pools->DefaultAppPool->Advanced Settings->idleTimeout,我设置为10分钟.
In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
然后我做了两个测试:第一次测试:我在下午 3 点 45 分登录了我的网络应用程序,闲置了 10 分钟.下午 3 点 55 分,我尝试使用我的应用程序,但被踢了出去.我认为 idleTimeout 发挥作用.
Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.
第二次测试:我在下午 4:00 登录我的网络应用程序,在下午 4:05、下午 4:10、下午 4:15 和下午 4:20 使用该应用程序.我预计会在下午 4 点 20 分被踢出去.但我不是.我认为 IIS 7 中的会话状态超时(20 分钟)是 Web 代理要求用户重新进行身份验证之前用户会话可以处于活动状态的最长时间.显然从这个测试,它不是.谁能给我解释一下?另外,我该如何设置上述情况的超时时间?
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?
推荐答案
会话超时是一个滑动超时,用户每次访问服务器时都会重置为配置的值.
Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.
如果在这段时间内没有对您的应用程序的请求,则会启动应用程序空闲超时.
The Application Idle time-out kicks in if there have been no requests to your application for that period of time.
因此,通常的情况是:
| 时间 | 用户 A | 用户 B | 会话状态 |
|---|---|---|---|
12:00 | 访问第 1 页 | A:新会话,超时:20 分钟 | |
12:02 | 访问第 2 页 | A:超时重置:20 分钟 | |
12:10 | 访问第 1 页 | A:超时:12 分钟;B:新:20 分钟 | |
12:15 | 访问第 2 页 | A:超时:07 分钟;B:超时:20 分钟 | |
12:22 | A:超时;B:还剩 13 分钟 | ||
12:32 | 应用程序关闭(达到空闲时间) | ||
12:35 | 访问第 3 页 | A:新会话开始 |
如果用户 A 在 12:22 之后返回站点,他们将拥有一个全新的会话,并且您之前存储在其中的任何值都将丢失.
If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.
确保会话在应用程序重新启动时持续存在的唯一方法是配置 SessionState 服务或 SQL 会话状态,并确保您已 配置了 machine.key 所以它不是每次服务器重启时自动生成的.
The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.
如果您使用标准的 ASP.NET 机制进行身份验证,那么 ASP.NET 将向每个用户发出两个 cookie:
If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:
- 身份验证令牌:由 身份验证超时 设置控制, 如果 cookie 没有过期,允许用户自动登录到您的站点,这可以是固定的或滑动的,默认为 30 分钟,这意味着他们的身份验证令牌可以应对更长的空闲"时间.比他们的会话时间.
- 会话令牌:由会话超时设置控制,允许您的应用程序在访问期间存储和访问每个用户的值.
- Authentication Token: Controlled by the Authentication time-out setting, allows the user to be auto logged in to your site if the cookie hasn't expired, this can be fixed or sliding, and defaults to 30 minutes, which means their authentication token can cope with a longer "idle" period than their session.
- Session Token: Controlled by the Session Time-out setting, allows your application to store and access per-user values during the lifetime of their visit.
这两个 cookie 都使用 MachineKey 加密 - 因此,如果您的应用程序回收并生成新密钥,则这些令牌都无法解密,需要用户登录并创建新会话.
Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.
回复评论:
- 20 分钟会话超时与您放置在用户会话对象中的项目有关 (HttpSessionState) 使用
Session.Add(string, object)方法. - 这取决于.如果您已正确配置了 machine.key,身份验证令牌仍然有效,如果您的会话不再是InProc"这些也将在应用程序重新启动后持续存在并且仍然可读 - 请参阅上面的注释.
- The 20 minute session time-out relates to items you've placed in the users session object (HttpSessionState) using the
Session.Add(string, object)method. - That depends. If you've correctly configured the machine.key, authentication tokens will still be valid, and if your sessions are no longer "InProc" these will also persist through application restarts and will still be readable - see notes above.
这篇关于会话超时在 IIS 7 中如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
