ASP.Net 表单身份验证 10 分钟后注销用户
我遇到了一个非常糟糕的问题,无论我尝试什么,用户都会在 10 分钟后被注销。
我正在使用在 Server 2003 R2 标准版上的 IIS 6.0 上运行的 ASP.Net 2.0,该服务器作为虚拟服务器运行,并具有所有适用的更新和 .Net 3.5 SP1。
客户端是 Internet Explorer 7.0
下面是 web.config 设置:
<!-- Authentication Mode -->
<authentication mode="Forms">
<forms name=".RecipeViewer" timeout="240" />
</authentication>
下面是用于设置授权 cookie 的代码:
Private Sub SetCookie(userName)
' Use security system to set the UserID within a client-side Cookie
Dim ticket As New FormsAuthenticationTicket(1,userName, DateTime.Now, DateTime.Now.Add(Me.GetFormsAuthSettings.Forms.Timeout), True, String.Empty, FormsAuthentication.FormsCookiePath)
Dim hash As String = FormsAuthentication.Encrypt(ticket)
Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)
cookie.HttpOnly = True
If (ticket.IsPersistent) Then
cookie.Expires = ticket.Expiration
End If
Response.Cookies.Add(cookie)
' Redirect browser back to originating page
Response.Redirect(Request.ApplicationPath)
End Sub
Private Function GetFormsAuthSettings() As System.Web.Configuration.AuthenticationSection
Return DirectCast(System.Configuration.ConfigurationManager.GetSection("system.web/authentication"), System.Web.Configuration.AuthenticationSection)
End Function
我之前使用 FormsAuthentication.SetAuthCookie 甚至尝试过 FormsAuthentication.RedirectFromLoginPage 方法,但这些方法都有相同的结果,这就是为什么我最终执行了 FormsAuthentication 类在内部完成的硬 cookie 实现(通过在 Reflector 中查看)。
该问题在 Visual Studio 2008 asp.net 托管环境或 IIS 7.0 中无法重现。
编辑:启用 Cookie,甚至托管站点也已添加为受信任站点。
编辑:Google Chrome 和 Firefox 没有此问题。
编辑:目标计算机上的已验证 Cookie 设置为根据设置在 4 小时后过期(超时 = 240 分钟)。
编辑:正如豪斯所说,每个人都会撒谎。 用户并未实际测试新的代码库,而是先入为主地认为该软件仍然存在问题。 感谢在此主题中回复的所有人。
不要因为不再相关而关闭它,而是保留它以帮助人们解决问题,因为这个问题中有一些非常好的故障排除技术。
I am having a really bad issue where no matter what I try, the user is being logged off after 10 minutes.
I am using ASP.Net 2.0 running on IIS 6.0 on Server 2003 R2 Standard Edition running as a Virtual Server with all applicable updates and .Net 3.5 SP1.
The client is Internet Explorer 7.0
Below are the web.config settings:
<!-- Authentication Mode -->
<authentication mode="Forms">
<forms name=".RecipeViewer" timeout="240" />
</authentication>
Below is the code used to set the authorization cookie:
Private Sub SetCookie(userName)
' Use security system to set the UserID within a client-side Cookie
Dim ticket As New FormsAuthenticationTicket(1,userName, DateTime.Now, DateTime.Now.Add(Me.GetFormsAuthSettings.Forms.Timeout), True, String.Empty, FormsAuthentication.FormsCookiePath)
Dim hash As String = FormsAuthentication.Encrypt(ticket)
Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)
cookie.HttpOnly = True
If (ticket.IsPersistent) Then
cookie.Expires = ticket.Expiration
End If
Response.Cookies.Add(cookie)
' Redirect browser back to originating page
Response.Redirect(Request.ApplicationPath)
End Sub
Private Function GetFormsAuthSettings() As System.Web.Configuration.AuthenticationSection
Return DirectCast(System.Configuration.ConfigurationManager.GetSection("system.web/authentication"), System.Web.Configuration.AuthenticationSection)
End Function
I was previously using the FormsAuthentication.SetAuthCookie as well as even trying the FormsAuthentication.RedirectFromLoginPage methods, but these both had the same result, which is why I ended up doing the hard cookie implementation that is done internally (via viewing in Reflector) that the FormsAuthentication class does.
The issue is NOT reproduceable in the Visual Studio 2008 asp.net hosting environment or in IIS 7.0.
EDIT: Cookies are enabled, even the hosted site has been added as a trusted site.
EDIT: Google Chrome and Firefox do not have this issue.
EDIT: Verified Cookie on target machine is set to expire after 4 hours as per the setting (timeout = 240 minutes).
EDIT: As House says, everyone lies. User did not actually test the new code base and was going on a pre-conceived notion that the software was still broken. Thank you to everyone who replied in this topic.
Not closing this for no longer relevant, but keeping it around to help people troubleshoot the issue as there are some really good troubleshooting techniques in this question.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
也可能(已经)未设置机器密钥,因此每次初始化应用程序时都会随机生成(这意味着加密的身份验证票证将使用新密钥加盐)。
我使用一个网站为我的应用程序生成一个新的机器密钥并将其粘贴在 web.config 中:
http: //www.orcsweb.com/articles/aspnetmachinekey.aspx
It could also (have been) that the machinekey was not set and thus being randomly generated every time the app was initialized (which would mean that the encrypted authentication ticket would be salted with a new key).
I use a site to generate a new machinekey for my apps and stick it in the web.config:
http://www.orcsweb.com/articles/aspnetmachinekey.aspx
尽管您的要求是 IE,但您可以使用带有 Firebug 和 FireCookie 的 Firefox 来监控您的 cookie 和过期情况。
在 IE 中,您可以下载 IE 开发人员工具栏,在其中您可以使用“缓存”\“查看 Cookie 信息”菜单查看您的 Cookie 值。
如果它在 Google Chrome 中正常工作,这很奇怪,也许您可以使用 global.asax 中的 Application_BeginRequest 事件捕获请求并记录收到的 cookie 及其值。
Although your requirement is for IE you can use Firefox with Firebug and FireCookie to monitor your cookies and expirations.
In IE you can download IE Developer Toolbar, in wich you can see your cookies values using the Cache \ View Cookie Information menu.
It's strange if it work properly in Google Chrome, maybe you can capture the request using the Application_BeginRequest event in the global.asax and log the cookies received and it's values.
未处理的异常可能会导致进程重新启动。 这可能会增加奇怪的行为。 事件日志中是否有任何报告?
Unhandled exceptions could be causing the proc to restart. This could add to the strange behavior. Is there anything reported in the eventlogs?
我依稀记得有关 IIS 会话超时设置能够覆盖您在 web.config 中设置的任何内容。 检查您的应用程序属性是否未设置 10 分钟的超时(属性 -> 配置 -> 选项)。
I vaguely recall something about the IIS session timeout settings being able to override whatever you have set in the web.config. Check that your application properties don't set a timeout of 10 minutes (properties->configuration->options).
我过去也遇到过类似的问题,但我不确定这是否是你所说的问题。 我说得对吗,您的问题不会发生在生产系统(或任何频繁负载的系统)上? 如果是这样,问题可能是工作线程空闲超时。 您可以尝试在 IIS 管理器 -> 右键单击“应用程序池”,转到“性能”选项卡下更改它或将其关闭,它是“空闲超时”下的复选框。 您可能也对该对话框的“回收”选项卡上的内容感兴趣。
I've had a similar problem in the past, but I'm not sure it's what you're talking about. Am I right that your problem doesn't happen on production systems (or any system under frequent load)? If so, the problem may be the worker thread idle timeout. You can try changing it or turning it off under IIS Manager->right click Application Pools, go to Performance tab, it's the checkbox under Idle Timeout. The stuff on the Recycling tab of that dialog may also be of interest to you.
客户没有测试生产代码,并且在将补丁应用到其生产环境之前仍在对上一问题进行响应。
如果您无法在同一环境中复制它,我建议您召开一次会议,您可以在其中观看他们复制问题。
48 小时后将此标记为答案。
Client did not test production code and was still responding from the previous issue before a patch was applied to their production environment.
If you can't replicate it on the same environment, I would recommend a meeting where you can watch them replicate the issue.
Flagging this as answer after 48 hours.
更改您的会话状态以使用 InProc 进行存储,您可能会面临与我类似的问题,即当用户遇到错误时,每次不使用 InProc 存储会话时,会话基本上都会终止。
会话类型:
http://msdn.microsoft.com/en-我们/library/ms178586(v=vs.100).aspx
Change your Session State to store using InProc, you are likely facing an issue similar to mine that when the user hit an error the session was essentially just dying every time when it wasn't being stored using InProc.
Session Types:
http://msdn.microsoft.com/en-us/library/ms178586(v=vs.100).aspx