Cookie的混乱FormsAuthentication.SetAuthCookie()方法 [英] Cookie Confusion with FormsAuthentication.SetAuthCookie() Method
问题描述
因此,有很多这方面的StackOverflow职位,但我仍然无法解决我确切的问题。这里的要点是:
So there are lots of posts on StackOverflow regarding this, but I still was unable to solve my exact problem. Here's the gist:
我有一个网站,需要验证。我使用的是标准的.NET FormsAuthentication.SetAuthCookie()方法保存用户的会话。
I have a website that requires authentication. I am using the standard .NET FormsAuthentication.SetAuthCookie() method to persist the user's session.
我的问题是这样的:在web.config文件中,有一个超时属性的/system.web/authentication/forms节点。如果我将该值设置为说,30分钟,是该用户不活动的时候,用户可以有自己的会话过期之前?
My question is this: In the web.config file, there is a timeout attribute to the "/system.web/authentication/forms" node. If I set this value to say, 30 minutes, is this the time of user inactivity the user can have before their session expires?
我想问的原因是,无论什么我这个值设置为,如果我在SetAuthCookie()设置持久性为true,上的cookie设置的过期时间为90分钟。如果我在SetAuthCookie()设置持久性为false,cookie的有效期设置为会议结束。
The reason I ask is that no matter what I set this value to, if I set persistence to true in SetAuthCookie(), the expiration on the cookie set is 90 minutes. If I set persistence to false in SetAuthCookie(), the cookie expiration is set to "end of session".
什么是超时属性值设置实际上,我怎么能得到一个长期的cookie,持续一个月或一年或更长的时间?
What is that "Timeout" attribute value actually setting, and how can I get a persistent cookie that lasts a month or a year or longer?
推荐答案
您在 /system.web/authentication/forms 已经找到了参数超时是超时(在身份验证票据的期限分钟)。
The parameter timeout you've found in /system.web/authentication/forms is the timeout (in minutes) of the duration of authentication ticket.
这意味着一定量的不活动时间之后,一个用户被提示重新登录。如果你尝试检查该 My.Profile.Current.IsAuthenticated 这将是假。
This means that after a certain amount of time of inactivity, a user is prompted to login again. If you try to check this My.Profile.Current.IsAuthenticated it will be false.
您可以选择不坚持的饼干。在如果你的票证过期这种情况下,你的Cookie过期了。该Cookie(如果被持久化)的目的是记住用户,如果他/她还是回到你的网站。
You can choose not to persist the cookie. In this situation if your ticket expires, your cookie expires too. The cookie (in case is persisted) has a purpose to remember the user if he/she comes back to your site.
您可能要坚持你的cookie了10年,因此用户将永远不会有再次插入用户名和密码,除非他们选择删除cookie。该cookie是有效的,即使在浏览器关闭(当它被持久化)。
You might want to persist your cookie for 10 years so the user will never have to insert username and password again, unless they've chosen to delete the cookie. The cookie is valid even if the browser is closed (when it is persisted).
要记住另一个重要的事情是参数slidingExpiration:
Another important thing to remember is the parameter slidingExpiration:
<authentication mode="Forms">
<forms loginUrl="~/Partner/LogOn" defaultUrl="~/Home/Index"
timeout="30" slidingExpiration="true" />
</authentication>
如果这是真的你的身份验证票证将被更新每次有您的网站上的活动:页面刷新等
if it's true your authentication ticket will be renewed every time there's activity on your site: refresh of the page etc.
你可以做什么 - 和我做了什么 - 是写你自己的cookie是这样的:
What you can do - and what I've done - is to write your own cookie like this:
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //version
userName, // user name
DateTime.Now, //creation
DateTime.Now.AddMinutes(30), //Expiration (you can set it to 1 month
true, //Persistent
userData); // additional informations
更新
我要存储我的组以加密cookie中,我实现了这个程序的原因:
I've implemented this routine cause I want to store my groups in an encrypted cookie:
Dim authTicket As System.Web.Security.FormsAuthenticationTicket = _
New System.Web.Security.FormsAuthenticationTicket( _
1, _
UserName, _
Now, _
Now.AddYears(100), _
createPersistentCookie, _
UserData)
Dim encryptedTicket As String = System.Web.Security.FormsAuthentication.Encrypt(authTicket)
Dim authCookie As HttpCookie = New HttpCookie( _
System.Web.Security.FormsAuthentication.FormsCookieName, _
encryptedTicket)
If (createPersistentCookie) Then
authCookie.Expires = authTicket.Expiration
End If
Response.Cookies.Add(authCookie)
正如你可以看到我已经设置身份验证cookie的有效期,以同样的超时(坚持只有当)的身份验证票。
As you can see I've set the expiration of the authentication cookie and the authentication ticket with the same timeout (only when persisted).
这是我试过的另一件事是在加密的cookie存储的用户名和密码。 每当一个母版加载我检查My.Profile.Current.IsAuthenticated,看看是否认证仍然有效。如果不是我再次读取cookie,获得用户名和密码,并检查它的数据库:
Another thing that I've tried is to stored username and password in the encrypted cookie. Everytime a masterpage is loaded I check My.Profile.Current.IsAuthenticated to see if the authentication is still valid. If not I read the cookie again, get the username and password, and check it on the DB:
Public Function ReadCookieAuthentication(ByVal Context As System.Web.HttpContext) As Security.CookieAuth
Dim CookieUserData = New Security.CookieAuth()
Dim cookieName As String = System.Web.Security.FormsAuthentication.FormsCookieName
Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)
If (Not (authCookie Is Nothing)) Then
Dim authTicket As System.Web.Security.FormsAuthenticationTicket = Nothing
Try
authTicket = System.Web.Security.FormsAuthentication.Decrypt(authCookie.Value)
If (Not (authTicket Is Nothing)) Then
If (authTicket.UserData IsNot Nothing) AndAlso Not String.IsNullOrEmpty(authTicket.UserData) Then
CookieUserData = New JavaScriptSerializer().Deserialize(Of Security.CookieAuth)(authTicket.UserData.ToString)
End If
CookieUserData.UserName = authTicket.Name
End If
Catch ex As Exception
' Do nothing.
End Try
End If
Return (CookieUserData)
End Function
Security.CookieAuth是我创建返回用户名和密码的对象。
CookieUserData是存储(我保存JSON格式),我把我的密码和组。
Security.CookieAuth is an object I've created to return username and password.
CookieUserData is the storage (I save in json format) where I put my password and groups.
这篇关于Cookie的混乱FormsAuthentication.SetAuthCookie()方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
