.NET中的Cookie和会话到期 [英] Cookies and Sessions Expiration in .NET
问题描述
我有一个MVC4单一应用程序页面。在登录页面有3个字段:用户,密码和记住我复选框。
C#的登录代码是:
if(WebSecurity.Login(model.UserName,model.Password,persistCookie :model.RememberMe))
{
FormsAuthentication.SetAuthCookie(model.UserName,model.RememberMe);
return Json(new {success = true,redirect = returnUrl});
}
else
{
ModelState.AddModelError(,提供的用户名或密码不正确。
}
我想这样做: >
-
如果用户使用记住我登录 true - Cookie将一直保留,直到用户注销
-
如果用户使用记住我登录 false - Cookie将在3小时后过期。
在web.config中,我有以下代码:
< authentication mode =Forms>
< forms loginUrl =〜/timeout =180cookieless =UseCookiesslidingExpiration =false/>
< / authentication>
< sessionState timeout =180/>
问题是用户在短时间内没有触摸页面通常),然后用户尝试在页面中执行某些操作 - 出现错误
此请求的授权已被拒绝。
(虽然 sessionStation 已超过30分钟!)
用户刷新页面后 - 如果cookie尚未过期 - 一切正常。但是我当然不想让用户每隔15分钟刷新一次页面,这是一个单页面的应用程序。
所以,我试图改变 slidingExpiration 到true并且每17分钟创建一个ping(使用ajax),它真的停止了会话过期和恼人的消息 - 但cookie没有过期3
我可以做什么?
我会仔细检查你的IIS设置。查看您的应用程序池空闲超时值设置为。默认为20分钟。当应用程序池空闲(没有用户访问应用程序池)达二十分钟时,您将松开会话状态(存储在会话中的所有数据将被清除)。
对于更多的用户,这个问题会自动解决,但是假设你是唯一测试的人,将此值增加到大于180分钟将阻止超时,或者您可以将值设置为零以完全禁用应用程序池空闲超时。
有关在IIS Express中检查应用程序池超时的信息,请参阅此答案... http://stackoverflow.com/a/10222419/386856
请注意,死亡的应用池可能需要几秒钟才能重新生成。增加此值可能是有益的。如果他们恰巧是等待应用程式池重新启动的人,那么这将阻止用户体验非常慢的体验。
更新
为了允许未点击记住我的用户更改超时,您可以创建自定义属性,也可以通过以下方式修改FormsAuthentication超时: C#。这里是通过代码设置超时的好参考。 https:/ /msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.timeout%28v=vs.110%29.aspx 和 https://msdn.microsoft.com/en-us/library/system.web .configuration.formsauthenticationconfiguration(v = vs.110).aspx 如果你希望超时在3小时后到期,即使用户有活动,请确保你的web配置中的slidingExpiration为false。如果希望超时在用户的最后一个活动的3小时后过期,请确保slidingExpiration为true。所以在你设置cookie之前尝试类似下面的东西(一定要检查OpenWebConfiguration路径):
System.Configuration.Configuration configuration = WebConfigurationManager.OpenWebConfiguration(/ aspnetTest);
AuthenticationSection authenticationSection =(AuthenticationSection)configuration.GetSection(system.web / authentication);
FormsAuthenticationConfiguration formsAuthentication = authenticationSection.Forms;
formsAuthentication.Timeout = System.TimeSpan.FromHours(3);
formsAuthentication.SlidingExpiration = true;
I have an MVC4 single application page. In the log-in page there are 3 fields: user, password and "remember me" checkbox. The C# login code is this:
if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return Json(new { success = true, redirect = returnUrl });
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
I want to do this:
If a user logs in with "remember me" true - The cookie will stay until the user logs off.
If the user logs in with "remember me" false - The cookie will expire after 3 hours.
In web.config I have this code:
<authentication mode="Forms">
<forms loginUrl="~/" timeout="180" cookieless="UseCookies" slidingExpiration="false" />
</authentication>
<sessionState timeout="180" />
The problem is when the user doesn't touch the page for a short time (10-30 mins usually), and then the user tries to do something in the page - there is an error
"Authorization has been denied for this request."
(Although sessionStation is more than 30 minutes!)
After the user refresh the page - if the cookie hasn't expired yet - everything works fine. But of course I don't want to make the user refresh the page every 15 minutes or so, it's a single-page-application.
So, I tried to change slidingExpiration to "true" and create a ping (with ajax) every 17 minutes and it really stopped the session expiration and the annoying message - but the cookie didn't expired after 3 hours (I logged in with remember me 'false')!
What can I do?
I would double check your IIS settings. See what your App Pool Idle Timeout value is set to. By default it's 20 minutes. When the App Pool goes idle (no users accessing the app pool) for twenty minutes, you will loose session state (All data stored in the session will be cleared).
With more users this problem would work itself out, but presuming you are the only person testing, increasing this value to something greater than 180 minutes will prevent the timeout, or you could set the value to zero to disable the app pool idle timeout altogether.
See this answer for information on checking your app pool timeout in IIS Express... http://stackoverflow.com/a/10222419/386856
Do note that a dead app pool can take several seconds to re-spawn. It may be beneficial to increase this value anyways. This will prevent users from having an extremely slow experience if they happen to be the person that's unlucky enough to have to wait for the app pool to restart.
Update
To allow for a change in timeout for users who don't click remember me, you can create a custom attribute or you could modify the FormsAuthentication timeout via C#. Here are good references on setting the timeout via code. https://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.timeout%28v=vs.110%29.aspx and https://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration(v=vs.110).aspx If you want the timeout to expire right at 3 hours, even if the user has activity be sure slidingExpiration is false in your web config. If you want the timeout to expire 3 hours after the user's last activity be sure slidingExpiration is true. So before you set the cookie try something like the following (Be sure to check the OpenWebConfiguration path):
System.Configuration.Configuration configuration = WebConfigurationManager.OpenWebConfiguration("/aspnetTest");
AuthenticationSection authenticationSection = (AuthenticationSection)configuration.GetSection("system.web/authentication");
FormsAuthenticationConfiguration formsAuthentication = authenticationSection.Forms;
formsAuthentication.Timeout = System.TimeSpan.FromHours(3);
formsAuthentication.SlidingExpiration = true;
这篇关于.NET中的Cookie和会话到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
