避免在 ASP.NET 中身份验证会话超时后丢失回发用户输入
我有一个位于 ASP.NET 表单身份验证后面的表单。 到目前为止,实现遵循典型的“开箱即用”类型配置。
一页允许用户发布消息。 如果用户在该页面上停留很长时间来撰写消息,则该消息可能会超过身份验证会话过期时间。 在这种情况下,帖子不会被记录......它们只是被重定向到登录页面。
我应该采取什么方法来防止长消息丢失的令人沮丧的事件?
显然,我可以让身份验证会话变得非常长,但系统中还有其他因素阻碍了这种方法。 有没有办法让这个特定页面例外,这样只要它是回发,它就永远不会重定向到登录?
I have a form that sits behind ASP.NET forms authentication. So far, the implementation follows a typical "out of the box" type configuration.
One page allows users to post messages. If the user sits on that page for a long time to compose the message, it may run past the auth session expiration. In that case, the post does not get recorded... they are just redirected to the login page.
What approach should I take to prevent the frustrating event of a long message being lost?
Obviously I could just make the auth session really long, but there are other factors in the system which discourage that approach. Is there a way I could make an exception for this particular page so that it will never redirect to the Login so long as its a postback?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
请参阅此相关问题,其中的答案几乎都是关于登录后保留值的相同概念的主题:
如果您不关心他们在 POST 时是否登录(对我来说,安全方面似乎有点不确定......)然后在 IHttpModule 中挂钩 HttpContext.PostAuthenticateRequest 将使您有机会使用 FormsAuthentication.SetAuthCookie 重新登录。 可以通过设置 HttpContext.User 类似地使用 FormsAuthenticationModule.Authenticate 事件:
See this related question, where the answers are all pretty much themes on the same concept of keeping values around after login:
If you don't care if they're logged in or not when they POST (seems a little iffy security-wise to me...) then hooking HttpContext.PostAuthenticateRequest in an IHttpModule would give you a chance to relogin using FormsAuthentication.SetAuthCookie. The FormsAuthenticationModule.Authenticate event could be used similarly by setting an HttpContext.User:
当会话超时发生时,用户的会话(和页面信息)将被释放,这意味着最终的回发将失败。 正如其他人所建议的,有一些解决方法,但他们都假设您不关心该特定页面上的身份验证和安全性。
我建议使用 Ajax 每 10 分钟左右静默回发一次以保持活动状态,或者按照您的建议增加会话超时。 您可以尝试在网络配置中创建页面特定部分,并在其中包含更长的超时时间。
When the session timeout happens the user's session (and page information) get disposed, which would mean the eventual postback would fail. As the others have suggested there are some work arounds, but they all assume you don't care about authentication and security on that particular page.
I would recommend using Ajax to post back silently every 10 mins or so to keep it alive, or increase the timeout of the session as you suggest. You could try to make a page specific section in your web config and include in there a longer timeout.
我通过将表单值添加到数据库来处理此问题,该值由远程 IP 而不是用户 ID 标识。
然后,登录后,您可以检查当前用户的IP地址在数据库中是否有一行,并执行所需的操作。
迈克尔
I handled this once by adding the form value to the database, identified by the remote IP instead of user ID.
Then, after login, you can check to see if the current user's IP address has a row in the database, and perform the required action.
Michael
我的同事使用 HttpModule 提出了解决此类问题的通用解决方案。
请记住,他决定在此特定应用程序中处理自己的身份验证。
如下:
他创建了一个 HttpModule,用于检测用户何时不再登录。如果用户不再登录,他会获取该页面的 ViewState 以及所有表单变量,并将其存储到一个集合中。 之后,用户被重定向到登录页面,其中包含上一页的表单变量和隐藏字段中编码的 ViewState 信息。
用户成功重新进行身份验证后,将检查隐藏字段。 如果该隐藏字段可用,则会使用旧帖子的表单变量和视图状态填充 HTML 表单。 然后使用 JavaScript 自动将此表单提交到服务器。
My coworker came up with a general solution to this kind of problem using an HttpModule.
Keep in mind he decided to to handle his own authentication in this particular application.
Here goes:
He created an HttpModule that detected when a user was no longer logged in. If the user was no longer logged in he took the ViewState of that page along with all the form variables and stored it into a collection. After that the user gets redirected to the login page with the form variables of the previous page and the ViewState information encoded in a hidden field.
After the user successfully reauthenticates, there is a check for the hidden field. If that hidden field is available, a HTML form is populated with the old post's form variables and viewstate. Javascript was then used auto submit this form to the server.