ASP.Net 中的客户端会话超时重定向
我想建立一种方法,当用户的会话由于不活动而过期时,自动将用户重定向到 Timeout.aspx。我的应用程序使用表单身份验证,并严重依赖同一 aspx 页面中的更新面板进行用户交互,因此我不想在页面级计时器到期后简单地重定向。出于同样的原因,我无法使用 '
'我想要做的是使用名为 IsSessionTimedOut() 的方法创建一个简单的 ajax Web 服务,该方法仅返回一个布尔值。我将使用 JavaScript 计时器定期调用该方法,如果返回 true,则重定向到 Timeout.aspx。但是,我不想调用此方法来重置会话超时计时器,否则会话永远不会因为服务调用而超时。有没有一种干净的方法来避免这个第 22 条军规?希望有一个到目前为止我还没有找到的简单解决方案。
I want to build a way to automatically redirect users to Timeout.aspx when their session expires due to inactivity. My application uses forms authentication and relies heavily on update panels within the same aspx page for user interaction, so I don't want to simply redirect after a page-level timer expires. For the same reason, I can't use '<meta http-equiv="refresh"/>'
What I want to do is create a simple ajax web service with a method called IsSessionTimedOut(), that simply returns a boolean. I will use a javascript timer to periodically call the method, and if it returns true, then redirect to Timeout.aspx. However, I don't want calling this method to reset the session timeout timer, or the session would never time out because of the service call. Is there a clean way to avoid this catch-22? Hopefully there is an easy solution that has so far eluded me.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
问题的症结在于,在 AJAX 应用程序中,为了提供强大的用户体验,您必须使用大量代码来混乱客户端脚本,检查每个调用的状态并确定失败是否是由于陈旧的会话/票证造成的。通过主动的方法,您的客户端脚本可以得到显着简化,同时提供更好的用户体验。
我专门针对这个问题建立了一个解决方案。
它允许交互式会话和表单票证生命周期审核而不会影响会话或票证。
多个浏览器/选项卡没有问题。
忘记防晒霜;请记住:在进行 Ajax 时,要积极主动 - 你应该放弃会话,会话不应该放弃你;-)
异步会话审核器1.0
the crux of the problem is that in AJAX apps, to provide a robust user experience you must clutter your client script with reams of code checking the status of every call and determining if a failure is due to a stale session/ticket. With a proactive approach your client script can be dramatically simplified while at the same time providing a much better user experience.
I have built a solution for this problem specifically.
It allows interactive session and forms ticket lifetime auditing without bumping the session or ticket.
Multiple browsers/tabs are no problem.
Forget the sunscreen; Remember: When doing Ajax, be proactive - You should abandon a session, a session should not abandon you ;-)
AsynchronousSessionAuditor 1.0
这是迄今为止我想出的最好的解决方案,但我愿意接受更好的解决方案。基本上,我有一个 15 分钟的 JavaScript 计时器,每次异步回发都会重置该计时器。这种方法的缺点是,即使用户正在另一个浏览器窗口中主动使用该应用程序,在后台打开的第二个选项卡或窗口也会导致会话结束。
我的主页上有类似的东西。 javascript 的最后一行添加了我的重置函数,以便在任何更新面板刷新时触发:
This is the best solution I've come up with so far, but I'm open to something better. Basically, I have a 15-minute javascript timer that is reset with every async postback. The disadvantage of this approach is that a second tab or window open in the background would cause the session to end, even if the user is actively using the application in another browser window.
Something similar to this lives on my master page. The last line of javascript adds my reset function to be triggered when any update panel refreshes:
当服务器端会话过期时发生超时真的很重要吗?
如果您只是想强制用户刷新会话或超时,我会使用 window.setTimeout() 在设定时间后重定向到 Timeout.aspx。 Timeout.aspx 的代码隐藏可以调用 Session.Abort() 来终止会话,这将强制用户如果想继续则必须重新登录。
我认为这种方法实际上比会话超时更准确和可靠,会话超时(根据我的经验)往往会根据服务器负载和其他因素而变化。
Is it really critical that the timeout happen when the server-side session expires?
If you just want to force users to refresh their sessions or time them out, I would use window.setTimeout() to redirect to Timeout.aspx after a set time. The codebehind of Timeout.aspx can call Session.Abort() to kill the session, which will force the user to log back in if they want to continue.
I think this method will actually be more accurate and reliable than the Session timeout, which (in my experience) tends to vary depending on the server load and other factors.
我认为,如果您为您的 Web 服务启用会话状态,然后在您的 global.asax 中将 SessionStateBehavior 设置为只读(如果 Web 服务受到攻击),那么您应该会很好。您需要在生命周期的早期执行此操作。
http://msdn .microsoft.com/en-us/library/system.web.httpcontext.setsessionstatebehavior(v=VS.100).aspx
I think that if you enable session state for your web service, and then set the SessionStateBehavior to read only in your global.asax if the web service is being hit, you should be good. You'll need to do this early in the lifecycle.
http://msdn.microsoft.com/en-us/library/system.web.httpcontext.setsessionstatebehavior(v=VS.100).aspx
我认为你的处理方式是错误的...如果你绝对不能使用简单的元刷新(迄今为止处理这个问题的最简单方法),那么只需处理你的 AJAX 方法返回指示你的会话的值的情况已超时。为什么需要额外的机制来做到这一点?我对 UpdatePanel 不太熟悉...但是如果在您的会话过期时更新失败,您肯定可以发回一些“嘿朋友,您需要重新登录”消息吗?
I think you are going about this the wrong way... If you absolutely can't use a simple meta-refresh (by far the easiest way to handle this) then just handle the cases where your AJAX methods return values that indicate your session has timed out. Why do you need an extra mechanism just to do this? I'm not that familiar with the UpdatePanel... but if the update fails when your session is expired, surely you can send back some "hey pardner, you need to log in again" message?