会话状态。如何使用自定义模式管理会话?
我正在开发一个网站,这是我的第一个网络项目。
会话场景
我为我的项目创建了一个安全级别有点高的数据库。我想管理登录我网站的每个用户的会话。可以使用 Cookie 和 URL 来使用会话状态,一次只能使用一个。
现在我回顾了所有四种会话状态模式。 IE 1. InProc 2. State Server 3. Sql Server 4. Custom
在查看所有这些模式后,我很困惑应该使用 Sql Server 还是 Custom。
基本上我想将会话相关信息存储在我自己的数据库中,而不是 Microsoft 提供的默认数据库 Aspnet_db 中。我已经创建了与登录和注册相关的所有表。但我不知道如何将会话存储到我的数据库中。 我需要创建哪些表才能维护到数据库中。
我想在我的数据库中创建完整的会话日志和登录相关信息(至少持续一年)。 我想使用机器密钥作为 AES 和 SHA1。
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
<machineKey decryption="AES"
validation="SHA1"
decryptionKey="7E047D50A7E430181CCAF7E0D1771330D15D8A58AEDB8A1158F97EEF59BEB45D"
validationKey="68B439A210151231F3DBB3F3985E220CFEFC0662196B301B84105807E3AD27B6475DFC8BB546EC69421F38C1204ACFF7914188B5003C1DCF3E903E01A03C8578"/>
<add name="conString" connectionString="Data Source=192.168.1.5; Initial Catalog=dbName; Integrated Security=True;" providerName="System.Data.SqlClient" />
我需要在 webconfig 中指定哪些内容?
我的数据源= 192.168.1.5 数据库名称= db.mdf
我需要了解什么
- 我需要将哪些表添加到我的数据库中 存储会话相关的数据库 信息。例如。会话 ID(任意 其他字段也存储或不存储), 会话时间、会话开始时间、 会话结束时间、会话过期 时间。我不知道所有的事情是什么 通常被采取。
- 我需要加密会话 ID 在存储到数据库之前。如果是,
加密将是自动的,或者我是否需要编写一些代码来执行此操作,而不是我在上面的网络配置中编写的代码。
- 如何使用 mode='custom' 使用我的数据库进行网络配置。
在下面的代码中
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
I am working on a website and this is my first web project.
Scenario for Session
I have created a database for my project with security level little bit high. I want to manage session for each and every user who is logging in to my website. Session state can be used using Cookie as well as URL, only one at a time.
Now I went over with all four session state modes.
i.e
1. InProc 2. State Server 3. Sql Server 4. Custom
Now after reviewing from all these modes I am in confusion which one should I use Sql Server or Custom.
Basically i want to store session related information in my own database instead of Aspnet_db which is a default database provided by microsoft. I have created all tables related to login and registration. But I dont know how to store session into my database.
What tables do I need to create so as to maintain into database.
I want to create a complete log of session and login related information into my database(Persistant atleast for 1 year).
I want to use machinekey as AES and SHA1.
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
<machineKey decryption="AES"
validation="SHA1"
decryptionKey="7E047D50A7E430181CCAF7E0D1771330D15D8A58AEDB8A1158F97EEF59BEB45D"
validationKey="68B439A210151231F3DBB3F3985E220CFEFC0662196B301B84105807E3AD27B6475DFC8BB546EC69421F38C1204ACFF7914188B5003C1DCF3E903E01A03C8578"/>
<add name="conString" connectionString="Data Source=192.168.1.5; Initial Catalog=dbName; Integrated Security=True;" providerName="System.Data.SqlClient" />
What all things do i need to specify in webconfig ?
My Data Source= 192.168.1.5
Database name= db.mdf
What I need to know about
- What tables do i need to add to my
database to store session related
information. eg. Session id (Any
other field is also stored or not),
Session Time, Session Start Time,
Session End Time, Session Expire
Time. I dont know what all things
are usually taken. - Do I need to encrypt Session Id
before storing into database. If Yes
Encryption will be automatic or do i need to write some code to do this other than that I wrote in web config above.
- How mode='custom' will be used into
web config using my database.
in following code
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您使用的是 SQL Server 会话提供程序,则应运行
aspnet_regsql来创建您需要的表:(如果您使用的是 SQL Express,请将 localhost 替换为 .\SQLEXPRESS)
您还可以指定自定义如果您不希望命令创建 aspnetdb 数据库,请使用 -d 标志的数据库名称。您还可以运行不带标志的命令来使用向导模式。
如果您想构建自定义会话提供程序(不是一个小任务),您可以首先查看由上述命令运行的脚本:
尽管这取决于您的要求,但通常会话状态加密不会增加太多价值。但是,如果您的数据特别敏感,那么可能值得考虑。但请注意,会话状态的最大风险通常不在数据库端,而是在客户端,一个用户可以通过访问其会话 cookie 来窃取另一用户的会话。因此,在我在数据库端采用加密之前,我至少会对引用会话 cookie 的所有页面使用 SSL。
如果有帮助的话,我在书中介绍了自定义会话状态的许多方面,尽管我没有演示完整的自定义提供程序: 超快 ASP.NET.
If you're using the SQL Server session provider, you should run
aspnet_regsqlto create the tables you need:(replace localhost with .\SQLEXPRESS if you're using SQL Express)
You can also specify a custom DB name with the -d flag if you don't want the command to create the aspnetdb database. You can also run the command without flags to use wizard mode.
If you want to build a custom session provider (not a small task), you might start by looking at the script that's run by the command above:
Although it depends on your requirements, generally encryption of session state doesn't add much value. However, if your data is particularly sensitive, then it might be worth considering. Note, though, that the biggest risk with session state normally isn't on the DB side, rather it's on the client side, with one user being able to steal a session from another user, by getting access to their session cookie. Because of that, before I resorted to encrypting on the DB side, I would at least use SSL for all pages that reference the session cookie.
In case it helps, I cover many aspects of customizing session state in my book, although I stop short of demonstrating a full custom provider: Ultra-Fast ASP.NET.
问题集 1:
第二集:
Question set 1:
Set 2: