ASP.NET MVC 中永远超时的缺点?
作为一名用户,当我看到“记住我”复选框时,我希望它能记住我——不仅仅是当我关闭浏览器时,而是当我一周后返回该网站时。
因此,在我的 ASP.NET MVC 应用程序中,我正在考虑以下 web.config 值:
<authentication mode="Forms">
<forms defaultUrl="/" loginUrl="/account/login" name=".ASPXAUTH" timeout="50000000" />
</authentication>
我还计划将 userIsOnlineTimeWindow="20" 保留为有关谁在线的良好统计数据。我还计划设置一个 machineKey,以便在 IIS 回收时用户不会被踢出。
对这个设置有什么想法吗?我最担心的是它会占用资源——但是在无状态 MVC 应用程序中会占用资源吗?这实际上不是与 sessionState 超时变量相关,而不是与身份验证超时相关吗? sessionState 在 MVC 中不再相关了吗?我看到了相互矛盾的信息,正在努力查明真相。
另外,如果我采用这种方法,我认为这也应该照顾到在点击提交之前填写表单很长时间的用户,他们会失去工作。我看过与此相关的帖子,但我试图同时解决两个问题(在查看页面时保持活动状态,并且如果我说“记住我”,也保持活动状态几天。
我看到的一个问题是,即使用户不这样做不要说“记住我”,它仍然会记住它们,直到他们关闭浏览器(对我来说,这在用户的期望之内。)另一个问题是我可能需要对 IsApproved 和 IsLockedOut 每个 http://scottonwriting.net/sowblog/posts/11167.aspx。
有什么想法吗?特别是关于系统资源问题。 谢谢。
As a user, when I see a "remember me" checkbox, I expect it to remember me -- not just when I close my browser, but when I come back to the site after a week.
So in my ASP.NET MVC application I am considering the following web.config values:
<authentication mode="Forms">
<forms defaultUrl="/" loginUrl="/account/login" name=".ASPXAUTH" timeout="50000000" />
</authentication>
I plan to also have userIsOnlineTimeWindow="20" to still have decent stats about who is online. I also plan to setup a machineKey so that the user isn't kicked off when IIS recycles.
Thoughts on this setup? My biggest concern is that it will hog up resources -- but will it in a stateless MVC app? Isn't that actually related to the sessionState timeout variable as opposed to authentication timeout? And sessionState is no longer relevant in MVC? I've seen conflicting information and am trying to get to the bottom of it.
Also, if I take this approach, I assume that this should also take care of the user who fills out a form for a long time before hitting submit and they lose their work. I've seen posts related to that, but am trying to solve two problems at once (keep alive while viewing the page plus also keep alive for days if I said 'remember me'.
One issue I see is that even if the user doesn't say "remember me" it will still remember them until they close the browser. (To me that's within user expectations.) The other issue is that I may need to perform extra checks on IsApproved and IsLockedOut per http://scottonwriting.net/sowblog/posts/11167.aspx.
Thoughts? Particularly on the system resources issue. Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
FormsAuthentication 作为 cookie 存储在客户端浏览器中,本身不会占用任何资源。那里的超时设置不会改变某些内容在服务器内存中保留的时间或与常规会话存储有关的任何内容。
如果您仅依赖从 FormsAuthentication (HttpContext.User) 获得的用户 ID/名称,那么是的,管理用户帐户可能会出现问题,就像您指出的那样。每个请求查找一次实际的当前用户数据是一个很好的做法。
FormsAuthentication is stored as a cookie in the client's browser and will not use up any resources by itself. The timeout setting there does not change how long something will be kept in the server's memory or anything to do with the regular session storage.
If you rely solely on the user ID/name you get from FormsAuthentication (HttpContext.User) then yes, there will probably be issues with administering user accounts like you point out. It would be a good practice to look up the actual current user data once per request.