Session改变或无效时,HttpCookie不会被删除
我正在创建一个 HttpCookie,仅设置名称和值,而不设置过期属性,然后将其添加到响应中。够简单的。 cookie 按预期创建(但未保留)。问题是,当会话由于某种原因发生变化时(比如网站被重建,或者我在调试时重建了我的应用程序),那么 cookie 就会保留下来。我希望 cookie 仅对创建它的原始会话有效。
根据 MSDN 的说法:“如果您没有为 cookie 指定过期限制,则 cookie 不会保留到客户端计算机,并且会在用户会话过期时过期。”
我想我不知道“会话过期”到底包含什么。我认为 20 分钟后会话到期时 cookie 就会被删除。但是,如果创建 cookie 的会话由于多种原因不再存在,是否应该删除 cookie?我唯一一次看到 cookie 被删除是当用户关闭所有浏览器窗口并打开一个新窗口时。
如果这一切都是真的,我可能必须将原始会话 ID(“ASP.NET_SessionId”)存储在 cookie 中,然后对照当前会话 id 检查它,如果它们不同,则删除 cookie 或创建一个新的 cookie 。
下面是代码(我的 cookie 与 MSDN 示例中的 cookie 之间的唯一区别是我在 cookie 中存储了多个值):
private void SaveValuesToCookie(string[] names, string[] values)
{
HttpCookie cookie = new HttpCookie("MyCookie");
for (int i = 0; i < names.Length; i++)
{
string name = names[i];
cookie.Values[name] = values[i];
}
Response.Cookies.Add(cookie);
}
private string GetValueFromCookie(string name)
{
HttpCookie cookie = Request.Cookies["MyCookie"];
if (cookie == null)
return null;
return cookie.Values[name];
}
I'm creating an HttpCookie, setting only the name and value and not the expires property, then adding it to the response. Simple enough. The cookie is created (but not persisted) as expected. The problem is when the session changes for some reason (like the website was rebuilt, or I rebuilt my app when debugging) then the cookie stays around. I want the cookie to be valid for only the original session it was created on.
According to MSDN it says: "If you do not specify an expiration limit for the cookie, the cookie is not persisted to the client computer and it expires when the user session expires."
I guess I don't know exactly what "session expires" encompasses. I figure the cookie gets deleted after 20 min when the session expires. But should the cookie get deleted if the session it was created on doesn't exist anymore for any number of reasons? The only time I've seen the cookie get deleted is when the user closes all browser windows and opens a new one.
If this is all true, I may have to store the original session id ("ASP.NET_SessionId") in the cookie, then check it against the current session id, if they're different, then delete the cookie or create a new one.
Here's the code (the only difference between my cookie and the one in the MSDN examples is I'm storing multiple values in the cookie):
private void SaveValuesToCookie(string[] names, string[] values)
{
HttpCookie cookie = new HttpCookie("MyCookie");
for (int i = 0; i < names.Length; i++)
{
string name = names[i];
cookie.Values[name] = values[i];
}
Response.Cookies.Add(cookie);
}
private string GetValueFromCookie(string name)
{
HttpCookie cookie = Request.Cookies["MyCookie"];
if (cookie == null)
return null;
return cookie.Values[name];
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这正是 MSDN 的意思,它说会话过期时 cookie 将被删除。不幸的是,我相信这在浏览器之间并不一致,所以它对任何人都没有多大用处。
您应该始终为 Cookie 设置到期日期。
我不想这么说,但这也不会帮助你。 .NET Framework 喜欢回收会话 ID,因此您不能保证它会有所不同。
坏消息是,我建议您从架构的角度重新考虑您想要做什么。
重新启动应用程序完全发生在服务器上; cookie 完全发生在客户端。虽然客户端将与服务器通信,但这纯粹是请求/响应关系,服务器无法向浏览器传达应用程序重新启动等事件。
如果您想在某处存储一个仅在服务器会话生命周期内有效的值,为什么不将其存储在 Session 中而不是存储在 Cookie 中呢?
And that is exactly what MSDN means when it says the cookie will be deleted when the session expires. Unfortunately, I believe this isn't consistant across browsers anyway, so it's not much use to anyone.
You should always set an expiry date on Cookies.
I hate to say it but this isn't going to help you either. The .NET Framework likes to recycle session IDs, so you can't guarantee it will be different.
Bad news out of the way, I would advise you to reconsider what you're trying to do from an architectural standpoint.
Restarting the app is something that happens entirely on the server; cookies are something that happen entirely on the client. While the client will talk to the server, it is purely a Request/Response relationship, the server cannot communicate events such as an application restart to the browser.
If you want to store a value somewhere which is only valid for the lifespan of a server session, why not store it in Session rather than in a Cookie?
我知道这一切,但它对于我们客户的需求来说还不够安全。会话仍然可能被欺骗或注入。请参阅:http://msdn.microsoft.com/en-us/ magazine/cc163730.aspx#S9
看起来我只能在会话之外创建一个过期的安全 cookie,并在可以时刷新过期日期(即当用户访问某些页面时)。
I'm aware of all that, but it's not secure enough for our clients needs. The session can still get spoofed or injected. See: http://msdn.microsoft.com/en-us/magazine/cc163730.aspx#S9
Looks like I'm left to creating an expired secure cookie separate of the session, and refreshing the expiration date when I can (ie when the user accesses certain pages).