使用 100 年超时的 HTTPCookie 的 ASP.NET Webforms 站点在 20 分钟后超时
我有一个正在使用表单身份验证的网站。客户端根本不希望用户的站点会话过期。在登录页面代码隐藏中,使用以下代码:
// user passed validation
FormsAuthentication.Initialize();
// grab the user's roles out of the database
String strRole = AssignRoles(UserName.Text);
// creates forms auth ticket with expiration date of 100 years from now and make it persistent
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1,
UserName.Text, DateTime.Now,
DateTime.Now.AddYears(100), true, strRole,
FormsAuthentication.FormsCookiePath);
// create a cookie and throw the ticket in there, set expiration date to 100 years from now
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(fat)) { Expires = DateTime.Now.AddYears(100) };
// add the cookie to the response queue
Response.Cookies.Add(cookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));
web.config 文件身份验证部分如下所示:
<authentication mode="Forms">
<forms name="APLOnlineCompliance" loginUrl="~/Login.aspx" defaultUrl="~/Course/CourseViewer.aspx" />
</authentication>
当我登录网站时,我执行 查看 Cookie 是否正确发送到浏览器并传回:
HttpFox 输出 http://cid-e79f8e4b07c3e30f.office.live.com/embedphoto.aspx/Public/SessionProblem.png
然而,当我离开 20 分钟左右,回来尝试在网站上执行任何操作时,登录窗口会重新出现。该解决方案在我们的服务器上运行了一段时间 - 现在又回来了。在 VS2008 中运行 Cassini 的本地开发盒上不会出现此问题。
关于如何解决这个问题有什么想法吗?
I have a site that is using Forms Auth. The client does not want the site session to expire at all for users. In the login page codebehind, the following code is used:
// user passed validation
FormsAuthentication.Initialize();
// grab the user's roles out of the database
String strRole = AssignRoles(UserName.Text);
// creates forms auth ticket with expiration date of 100 years from now and make it persistent
FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1,
UserName.Text, DateTime.Now,
DateTime.Now.AddYears(100), true, strRole,
FormsAuthentication.FormsCookiePath);
// create a cookie and throw the ticket in there, set expiration date to 100 years from now
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(fat)) { Expires = DateTime.Now.AddYears(100) };
// add the cookie to the response queue
Response.Cookies.Add(cookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text, false));
The web.config file auth section looks like this:
<authentication mode="Forms">
<forms name="APLOnlineCompliance" loginUrl="~/Login.aspx" defaultUrl="~/Course/CourseViewer.aspx" />
</authentication>
When I log into the site I do see the cookie correctly being sent to the browser and passed back up:
HttpFox output http://cid-e79f8e4b07c3e30f.office.live.com/embedphoto.aspx/Public/SessionProblem.png
However, when I walk away for 20 minutes or so, come back and try to do anything on the site, the login window reappears. This solution was working for a while on our servers - now it's back. The problem doesn't occur on my local dev box running Cassini in VS2008.
Any ideas on how to fix this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
会话超时和表单身份验证超时是两个不同的事情。会话超时是否设置为 20 分钟,是否会在 Global.asax 文件中的 Session_End 事件中注销您的用户?
Session timeout and Forms Authentication timeout are two separate things. Is the Session timeout set to 20 minutes, and would it be logging your users out in the Session_End event in Global.asax file by any chance?
默认情况下,IIS 6 中的应用程序池设置为在 20 分钟不活动后关闭。如果应用程序配置中没有任何内容导致应用程序快速关闭,请检查 IIS 管理器中的应用程序池配置。您可以在其中设置许多精美的旋钮。
By default, app pools in IIS 6 are set to shut down after 20 minutes of inactivity. If there's nothing in your app configuration that's causing your app to shut down that quickly, check the app pool configuration in the IIS Manager. There are lots of wonderful knobs you can set in there.
嗯,我在 Global.asax 中有以下内容:
这就是您所指的吗?另外,如果这有什么区别的话,我们处于 IIS6 环境中。
Well I do have the following in Global.asax:
Is that what you're referring to? Also, we're in an IIS6 environment if that makes any difference.
另一件需要快速检查的事情可能是您的托管类型。云托管通常会有一个负载均衡器,该负载均衡器很难设置为在约 20 分钟内保持指向节点服务器的相同 IP,但是在此之后,您可能会被推送到新服务器,在新服务器上创建新会话并“记录您” 要解决
如果您使用标准共享主机或单个专用服务器或虚拟服务器,那么这不会是问题:)
此问题并保持 ASP.NET 会话正常工作,您需要将会话状态移至数据库 - 或重新-工具你的代码根本不使用会话:)
Another quick thing to check might be your hosting type. Cloud hosting will generally have a load balancer that is hard set to keep the same IP pointed to a node server for ~20mins, however after this time you might be pushed to a new server creating a new session on the new server and 'logging you out'
If your on standard shared hosting or a single dedicated server or virtual server however this won't be the problem :)
To get around this and keep the asp.net sessions working you need to move session state to a database - or re-tool your code to not use sessions at all :)
您可能需要检查是否正在使用负载平衡器。如果是这样,那么您确实不应该存储 InProc。如果您有多个实体,则应该考虑使用状态服务器或 SQL 服务器。
根据该问题,似乎也没有遵守默认的 30 分钟,这通常指向 IIS/托管/网络配置。
You might want to check whether you are using a load balancer. If so, then really you shouldn't be storing InProc. Should be looking into a state server or sql server if you have more than one entity.
Based on the issue, it seems that the default of 30 minutes isn't being adhered to either, which generally points to IIS/Hosting/Network configuration.