ASP.NET - 记录审计跟踪的用户会话开始/结束时间 - Global.ASAX?
我的 ASP.NET Intranet Web 应用程序使用 Windows 身份验证,我想记录以下详细信息:
1) Windows ID
2) 会话开始时间
3) 会话停止时间
4) 浏览到的 URL(可选)
我在 Global.ASAX 的“Session_Start”方法中进行了一些基本代码设置,用于记录会话开始时间(如下所示),但到目前为止就是这样。我感觉这是一种原始方法,并且有“更好”的方法可以做到这一点。所以我真的有两个问题:
1)这是这样做的正确方法吗?如果没有,还有其他选择吗?
2)如果这是正确的方法,我是否只需要在“Session_End”方法中删除一些代码来记录它们退出的时间,这就是一个完整的解决方案?当他们关闭打开网站的浏览器选项卡时,是否总是会调用此方法,或者他们是否必须关闭整个浏览器(我没有注销功能)?用户可以通过什么方式跳过此会话结束方法(或在这种情况下开始)?
Dim connsql As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("MyConnectionstring").ConnectionString)
Dim cmdsql As System.Data.SqlClient.SqlCommand = connsql.CreateCommand
cmdsql.CommandText = "BeginUserSession"
cmdsql.CommandType = Data.CommandType.StoredProcedure
Try
cmdsql.Parameters.Add("@windowsid", System.Data.SqlDbType.VarChar, 30, "windowsid")
cmdsql.Parameters("@windowsid").Value = Session("UserInfo").identity.name
If connsql.State <> System.Data.ConnectionState.Open Then connsql.Open()
cmdsql.ExecuteNonQuery()
connsql.Close()
Catch ex As Exception
Finally
If connsql.State <> Data.ConnectionState.Closed Then connsql.Close()
End Try
'Stored Proc records start time
My ASP.NET intranet web application uses Windows Authentication, and I would like to record the following details:
1) Windows ID
2) Session Start Time
3) Session Stop Time
4) URL being browsed to (optional)
I've got some basic code setup in "Session_Start" method of the Global.ASAX to log session start times (seen below), but that's it so far. I have the feeling this is a primitive approach and there are "better" ways of doing this. So I really have two questions:
1) Is this the right way to go about doing this? If not what are some other options?
2) If this is the right way, do I just need to drop some code in the "Session_End" method to record the time they exit, and thats a complete solution? Does this method always get called when they close the browser tab they have the site open in, or do they have to close the entire browser (I don't have logout functionality)? Any way users can skip over this session end method (or start for that case)?
Dim connsql As New System.Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("MyConnectionstring").ConnectionString)
Dim cmdsql As System.Data.SqlClient.SqlCommand = connsql.CreateCommand
cmdsql.CommandText = "BeginUserSession"
cmdsql.CommandType = Data.CommandType.StoredProcedure
Try
cmdsql.Parameters.Add("@windowsid", System.Data.SqlDbType.VarChar, 30, "windowsid")
cmdsql.Parameters("@windowsid").Value = Session("UserInfo").identity.name
If connsql.State <> System.Data.ConnectionState.Open Then connsql.Open()
cmdsql.ExecuteNonQuery()
connsql.Close()
Catch ex As Exception
Finally
If connsql.State <> Data.ConnectionState.Closed Then connsql.Close()
End Try
'Stored Proc records start time
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Session_End 不可靠。
我建议在 Session_Start 上创建一条记录,记录会话的创建时间,并在 Session_End 中用会话结束的时间更新记录。
要处理大多数被动放弃的会话,请使用 Application_BeginRequest 更新记录以记录用户“最后一次看到”的时间。
然后,您需要确定一种标记已被动放弃的会话的方法。这将是特定于站点/应用程序的。它可以很简单,只需选择会话被视为放弃之前必须经过的分钟数 - 例如 10 分钟。
那么你有一个查询:
这将带回你的会话审核日志。
Session_End is not reliable.
What I would suggest is on Session_Start you create a record that notes the time the Session was created, and in Session_End you update the record with the time it was ended.
To handle the majority of sessions which are passively abandoned, use Application_BeginRequest to update the record to note when the user was "last seen".
You will then need to determine a way of marking sessions that have been passively abandoned. This will be site/app specific. It could be as simple as picking a number of minutes that must pass before the session is considered abandoned - like 10 minutes.
So then you have a query:
Which will bring back your session audit log.
您的方法可以被描述为简单,但这可能完全没问题 - 这取决于需求是什么。如果您需要记录一整套应用程序错误和警告,请考虑实现 Log4Net 之类的东西。否则我不会说你所做的有什么问题。
当在超时值中指定的时间内没有用户活动,或者在代码中显式调用 Session.Abandon() 时,会话将结束。由于 HTTP 的无状态性质,无法判断用户是否已离开您的站点、关闭浏览器或以其他方式停止与其会话交互。
Your approach could be described as simple, but that could be totally fine - it comes down to what the requirements are. If you need to log a full suite of application errors and warnings, look at implementing something like Log4Net. Otherwise I wouldn't say there is anything wrong with what you are doing.
Sessions are ended when there has been no user activity for the amount of time specified in the timeout value, or when you explicitly call Session.Abandon() in your code. Because of the stateless nature of HTTP, there is no way to tell if a user has left your site, closed the browser or otherwise stopped being interactive with their session.
我不确定您是否可以准确地捕获会话的结束,因为
您可以尝试修改 IIS 中的设置,以便在不活动后很快终止会话,但这不是一个好主意。
另外...如果用户并非全部位于内部网络上,您将无法控制他们是否拥有“Windows ID”。
I am not sure you can catch the end of the session accurately because
You can try messing with setting in IIS to kill the session very quickly after inactivity but its not a good idea.
Also... If the users are not all on an internal network you will have no control as to whether they have a "Windows ID" or not.