Asp.net 形成身份验证 cookie 不遵守 IIS7 超时
身份验证 cookie 似乎会在短时间内(大约一天)后超时。我正在使用表单身份验证,并且 web.config 中的 timeout="10080" 和 slipExpiration="false" 。通过该设置,cookie 应在用户成功通过身份验证后大约 7 天过期。
这与 IIS6 中宣传的一样有效,但当我将站点移至 IIS7 时,cookie 过期得更快。我已经在使用 IE 和 Firefox 的多台计算机上确认了此行为,使我相信这是 IIS7 设置。
是否存在特定于 IIS7 的与身份验证相关的隐藏设置?除匿名用户跟踪外,网站禁用所有其他身份验证类型。
Authentication cookies seem to timeout after a short period of time (a day or so). I am using Forms Authentication and have the timeout="10080" with slidingExpiration="false" in the web.config. With that setting, the cookie should expire roughly 7 days after the user is successfully authenticated.
This worked as advertised with IIS6, but when I moved the site to IIS7, the cookie expires much quicker. I've confirmed this behavior on multiple machines with IE and Firefox, leading me to believe it's an IIS7 setting.
Is there a hidden setting that is IIS7 specific related to authentication? All other authentication types are disabled for the website, except for anonymous user tracking.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
身份验证 Cookie 使用本地
web.config或全局machine.config中的machineKey值进行加密。如果没有显式设置这样的密钥,则会自动生成一个密钥,但它不会持久保存到磁盘上 - 因此,每当应用程序重新启动或由于不活动而“回收”时,它都会发生变化,并且新密钥将在下一次点击时创建。解决问题就像将
web.config或可能(最好?)到machine.config(未经测试):Google生成随机机器密钥 可以为您生成此部分的网站。不过,如果您的应用程序处理机密信息,您可能需要自己创建密钥。
The authentication cookie is encrypted using the
machineKeyvalue from the localweb.configor the globalmachine.config. If no such key is explicitly set, a key will be automatically generated, but it is not persisted to disk – hence, it will change whenever the application is restarted or "recycled" due to inactivity, and a new key will be created on the next hit.Resolving the problem is as easy as adding a
<machineKey>configuration section toweb.config, or possibly (preferably?) to themachine.configon the server (untested):Google generate random machinekey for sites that can generate this section for you. If your application deals with confidential information, you might want to create the keys yourself, though.
我的理解是cookie是由消费方——浏览器过期的,这意味着IIS在这方面没有发言权
My understanding is that cookies are expired by the consuming party - the browser, which means that IIS has no say in this
将 IIS 中配置的会话状态设置为
处理中
使用 Cookie
超时=您需要的时间
使用托管身份进行模拟
还将 EnableSessionState 设置为 true(这也是默认值),
最重要的是在经典模式下运行应用程序池。
希望您的问题能够得到解决。
Set session state configured in IIS as
In Process
Use Cookies
Time out = your required time
Use hosting identity for impersonation
Also set EnableSessionState to true (which is default too)
And most importantly run the app pool in classic mode.
Hope your problem will solve.
首先,我必须说这些“指南”是通用的,而不是 iis-7 独有的。下的 web.config 中
在
您要么有
或
主要区别在于,在 InProc 中,会话状态数据放置在应用程序进程本身中。在另一种设置中,不同的服务正在执行存储,您的应用程序只需轮询它即可获取所需的数据。
使用这两种模式(以及 sql-server 会话状态模式)后,InProc 是最不可靠但最快的。 Sql-server 是最可靠且最慢的,StateServer 模式处于中间位置,仅在电源/系统故障的情况下不可靠。话虽如此,我必须说,对于请求数较低的网站,性能损失可以忽略不计。
现在,我的经验表明,InProc 的稳定性是相当难以预测的;我曾经和你有同样的问题。我能够通过调整应用程序池的设置来扩展应用程序的稳定性,我通过切换到 SessionState 完全消除了问题(这也允许关闭应用程序而不丢失会话状态数据)。
可能会受到应用程序/会话稳定性影响的原因:
IIS 和应用程序池。网站的每个虚拟目录都分配给一个应用程序池(默认为“DefaultAppPool”),该应用程序池具有一系列设置,您可以在其中定义进程“回收”的时间间隔 - 从而保留系统资源。如果您不更改设置,应用程序可能会触发进程回收器的条件之一,这意味着您的应用程序会破坏
在 ASP.NET 应用程序中,如果访问了 web.config(以及应用程序所依赖的任何子 .config 文件)文件,则应用程序将重新启动。现在,在某些情况下,防病毒程序可能会触及 web.config 文件(比如每天一次?),因此应用程序会重新启动并且会话数据会丢失。
配置错误
特别是对于表单身份验证,与时间相关的设置和行为始终依赖于 Web 会话,并且身份验证会话位于 Web 会话下。
我不知道的是,表单身份验证模块是否仅依赖于会话域,或者它是否也将数据放置在应用程序域中。如果是第二种情况,那么您可能必须禁用应用程序池中的所有回收设置,并再次检查配置/防病毒以及谁存储会话数据。
First of all i must say that these "guidelines" are generic and not iis-7 exclusive.
In web.config under
<system.web>you either have
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="130" cookieless="false"/>(which requires the ASP.NET Session State Server service running on localhost)or
<sessionState mode="InProc" timeout="130" cookieless="false"/>.The main difference is that in InProc that session state data are placed in the application process itself. In the other setting a different service is doing the storage, and you application just polls it to get the required data.
Having used both (as well as sql-server session state mode) the InProc is the least reliable but the fastest. The Sql-server is the most reliable and the slowest and the StateServer mode is somewhere in the middle being unreliable only in the case of a power/system failure. Having said that, i must say that for site with a low request count the performance penalty is negligible.
Now, my experience has shown that InProc is quite unpredictable on its stability; i used to have the same problem with you. I was able to extend the stability of the application by tweaking the settings of the application pool, i removed the problem altogether by switching to SessionState (which also allows to bring down the application and not lose session state data).
The reasons that you may suffer from application/session stability:
IIS and application pooling. Each virtul directory of a website is assigned to an application pool (by default to "DefaultAppPool") which has a series of settings amongst which you define the interval that the process is "recycled" - and as such preserve system resources. If you don't change the settings the application may trigger one of the criteria for the process recycler, which means that your application is busted
Antivirus.
In a ASP.NET application if the web.config (and any child .config files the application depends on) file is touched the application is restarted. Now there are cases where an antivirus program may touch the web.config file (say once a day?) and as such the application is restarted and session data is lost.
Bad configuration
Specifically for Forms Authentication the time-related settings and behavior always where dependent on the web-session with the auth-session being under the web-session.
What i don't know is if the Forms Authentication module depends only on Session domain or if it also places data in the application domain as well. If the second is the case then you may have to disable all recycling settings in the Application Pool as well as checking again configuration/antivirus and who stores the session data.
我最近遇到了同样的问题,即使我将会话超时设置为 2 小时,我的网站也会每 20 分钟超时一次。我发现这是因为 IIS 工作进程每 20 分钟超时一次: http://technet.microsoft.com/en-us/library/cc783089(WS.10).aspx
I recently had the same problem where my site was timing out every 20 minutes even though I set the session timeout to 2 hours. I found that it was because IIS worker process was timing out every 20 minutes: http://technet.microsoft.com/en-us/library/cc783089(WS.10).aspx