停止站点在过期时重用会话 ID
我希望能够在用户结束我们应用程序上的会话时进行记录,并记录是注销还是会话过期。我用于
cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
在注销时设置新的 sessionId,但是当会话过期时,如果浏览器实例未关闭,则将重用 sessionId。在我的 web.config 中,我已经使用了会话
<sessionState mode="InProc" timeout="1" cookieName="session" regenerateExpiredSessionId="true" />
,但仍然重用会话。
我无法杀死 Session_end() 中的 cookie,因为我没有访问权限,因为没有 HttpContext 或请求,所以我无法以这种方式重置它。
有谁知道如何从 Global.asax.cs 文件中强制使用新的 sessionId ?
谢谢
戴夫
编辑 - 这目前在我们的开发环境中,但我们的生产应用程序使用状态服务器进行会话。不确定这是否会对 sessionId 分配产生影响(我知道我需要使用自定义 IHttpModule 而不是 Session_end)
I want to be able to log when a user ends their session on our application and record whether it was a sign out or a the session expired. I am using
cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
to set a new sessionId on sign out, but when the session expires, the sessionId is reused if the browser instance is not closed. In my web.config I have used
<sessionState mode="InProc" timeout="1" cookieName="session" regenerateExpiredSessionId="true" />
but still get sessions reused.
I can't kill the cookie in Session_end() because I don't have access because there is no HttpContext or request, so I can't reset it that way.
Does anyone have any ideas how I can force a new sessionId from the Global.asax.cs file?
Thanks
Dave
Edit - This is currently on our development environment, but our production application uses a state server for session. Not sure if this should make a difference to the sessionId Allocation (I know that I'll need to use an custom IHttpModule rather than Session_end)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据 RegenerateExpiredSessionId 属性的文档:
因此,除非您使用无 cookie 会话,否则您就不走运了。
您对这些需要新会话 id 的会话 id 做了什么?将它们存储在数据库或其他地方以供以后查找?如果是这样,也许您应该考虑使用您可以控制的其他类型的 id(例如 sql server 上的标识列)。
顺便说一句 - 你真的希望你的会话在一分钟内超时,还是这只是一个测试?
According to the docs on the RegenerateExpiredSessionId property:
So, unless your are using cookieless sessions, you are out of luck
What are you doing with these session ids that you require new ones? Storing them in a db or somewhere for later lookup? If so, maybe you should look at using some other kind of id that you can control (like an identity column on sql server).
BTW - do you really want your session to time out in one minute, or is that just a testing thing?
首先,您将无法跟踪会话何时在生产中结束,因为在使用除 InProc 之外的任何状态机制时,不能保证全局 Session_End 会触发。
会话 cookie 是非持久性的,因此解决您提到的问题的唯一方法是,如果用户将浏览器实例保持打开状态并且会话由于不活动而超时,然后重新访问该页面。您可以在 Session_Start 和 Session_End 中记录会话 ID,并且您的数据库日志将更加可靠,因为您将能够识别超时/重新登录行为。
您可以使用 Session.IsNewSession 来检测当前会话是否是使用当前请求创建的。 (无论提供的 sessionid id 是什么)。
如果您使用会话 ID 来跟踪用户是否“登录”,您应该避免这种情况,而是使用可以配置超时的 asp.net auth cookie。 (意味着cookie本身有一个过期时间,每次视图都会刷新,但超时后,cookie将被浏览器丢弃,从而需要重新登录。
Firstly, you will be unable to track when sessions end in production because the global Session_End is not guaranteed to fire when using any state mechanism other than InProc.
Session cookies are non-persistent, so the only way you can achieve the problem you are mentioning is if the user leaves their browser instance open and their session times out due to inactivity, then re-visits the page. You could record the session id in Session_Start as well as Session_End and your database log would be more robust as you would be able to identify timeout/relogin behavior.
You can use Session.IsNewSession to detect if the current session was created with the current request. (Regardless of what the provided sessionid id is).
If you are using session id to track whether the user is "logged in", you should avoid that and instead use the asp.net auth cookie which can have a configured timeout. (meaning the cookie itself has an expiration that is refreshed on each view, but after the timeout, the cookie will be discarded by the browser, thus requiring a re-login.