Authentication C# asp.net session-timeout

FormAuthentication 票证过期检查

发布于 2024-10-14 08:55:52 字数 4478 浏览 3 评论 0原文

我有一个 asp.net 应用程序，当用户登录时我使用 FormAuthentication Ticket....在每个页面上我想检查 FormAuthentication Ticket 是否已过期。

实际上我有两种情况

我想检查用户是否经过身份验证或尝试在不登录的情况下直接访问页面（在这种情况下我想重定向到“Default.aspx”
如果用户已经签名并经过身份验证，但发生超时（在这种情况下，我想重定向到页面“sexpired.aspx”，其中用户将收到“您的会话已过期，请重新登录”的通知，其中包含指向“Default.aspx”的链接，并且它将重定向回返回网址。

目前我在每个页面上都这样做，我认为当 cookie 过期时，它会使 User.Identity.IsAuthenticated = false 当用户尝试加载它重定向回“Default.aspx”的页面时也会导致超时

好的，这是我更新的问题，后面有登录表单代码：

protected void LoginButton_Click(object sender, EventArgs e)
{
   if (AuthenticateUser("SPOINT", txtUsername.Text, txtPassword.Text))
   {
        //Fetch the role
        Database db = DatabaseFactory.CreateDatabase();

        //Create Command object
        DbCommand cmd = db.GetStoredProcCommand("Users");

        db.AddInParameter(cmd, "@userid", System.Data.DbType.String, 20);
        db.SetParameterValue(cmd, "@userid", txtUsername.Text);

        db.AddInParameter(cmd, "@fname", System.Data.DbType.String, 80);
        db.SetParameterValue(cmd, "@fname", null);

        db.AddInParameter(cmd, "@lname", System.Data.DbType.String, 80);
        db.SetParameterValue(cmd, "@lname", null);

        db.AddInParameter(cmd, "@phone", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@phone", null);

        db.AddInParameter(cmd, "@mobile", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@mobile", null);

        db.AddInParameter(cmd, "@email", System.Data.DbType.String, 100);
        db.SetParameterValue(cmd, "@email", null);

        db.AddInParameter(cmd, "@uroleids", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@uroleids", null);

        db.AddInParameter(cmd, "@uroles", System.Data.DbType.String, 500);
        db.SetParameterValue(cmd, "@uroles", null);

        db.AddInParameter(cmd, "@umenu", System.Data.DbType.Int16);
        db.SetParameterValue(cmd, "@umenu", null);

        db.AddInParameter(cmd, "@ustatus", System.Data.DbType.String, 1);
        db.SetParameterValue(cmd, "@ustatus", null);

        db.AddInParameter(cmd, "@reqType", System.Data.DbType.String, 1);
        db.SetParameterValue(cmd, "@reqType", "R");

        db.AddOutParameter(cmd, "@retval", DbType.Int16, 2);

        IDataReader reader = db.ExecuteReader(cmd);

        System.Collections.ArrayList roleList = new System.Collections.ArrayList();
        if (reader.Read())
        {
            roleList.Add(reader[0]);
            string myRoles = (string)roleList[0];
            //Read user name
            string uname = (string)reader[1];
            //Read User menu ID
            int menuID = Convert.ToInt16(reader[2]);

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, txtUsername.Text, DateTime.Now,
            DateTime.Now.AddMinutes(30), true, myRoles, FormsAuthentication.FormsCookiePath);

            //Read user full name in session variable which will be shared across the whole application
            Session["uid"] = txtUsername.Text;
            Session["ufullname"] = uname; //myname; //uname;
            Session["branch"] = 1;

            //For security reasons we may hash the cookies
            string hashCookies = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);

            // add the cookie to user browser
            Response.Cookies.Add(cookie);

            //Constructing Menu according to User Role
            string x = buildmenu(menuID);

            Globals.menuString = null;
            Globals.menuString = x;

            string returnURL = "~/Main.aspx";

            //Close reader object to avoid Connection Pooling troubles
            reader.Close();

            if (Request.QueryString["rUrl"] != null)
                Response.Redirect(Request.QueryString["rUrl"]);
            else
                Response.Redirect(returnURL);
        }
        else
        {
            //Validation Error here...
            lblError.Text = "Incorrect UserID/Password entered...";
            return;
        }
    }
    else
    {
        lblError.Text = "Incorrect UserID/Password entered...";
        return;
   }
}

这是我正在检查表单验证票证的代码后面

if (!HttpContext.Current.User.Identity.IsAuthenticated || !HttpContext.Current.User.IsInRole("Maker"))
    Response.Redirect("~/Default.aspx");

原文

I have a asp.net application where i am using FormAuthentication Ticket when user Sign in....on each page I want to check if FormAuthentication Ticket has expired.

Actually i have two scenarios

I want to check if user is authenticated or trying to access the page directly without signing in (in this case i want to redirect on "Default.aspx"
If user is already signed and authenticated but the timeout occured (in this case i want to redirect to the page "sexpired.aspx" where user will be notified "your session has expired please sign in again" with the link to "Default.aspx" and it would redirect back to the return url. Please advise and suggest solutions accordingly.

Currently i am doing this on every page and I think when cookie expires it makes User.Identity.IsAuthenticated = false also cause on timeout when user tries to load the page it redirects back to "Default.aspx"

Okay here is my updated question with login form code behind:

protected void LoginButton_Click(object sender, EventArgs e)
{
   if (AuthenticateUser("SPOINT", txtUsername.Text, txtPassword.Text))
   {
        //Fetch the role
        Database db = DatabaseFactory.CreateDatabase();

        //Create Command object
        DbCommand cmd = db.GetStoredProcCommand("Users");

        db.AddInParameter(cmd, "@userid", System.Data.DbType.String, 20);
        db.SetParameterValue(cmd, "@userid", txtUsername.Text);

        db.AddInParameter(cmd, "@fname", System.Data.DbType.String, 80);
        db.SetParameterValue(cmd, "@fname", null);

        db.AddInParameter(cmd, "@lname", System.Data.DbType.String, 80);
        db.SetParameterValue(cmd, "@lname", null);

        db.AddInParameter(cmd, "@phone", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@phone", null);

        db.AddInParameter(cmd, "@mobile", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@mobile", null);

        db.AddInParameter(cmd, "@email", System.Data.DbType.String, 100);
        db.SetParameterValue(cmd, "@email", null);

        db.AddInParameter(cmd, "@uroleids", System.Data.DbType.String, 50);
        db.SetParameterValue(cmd, "@uroleids", null);

        db.AddInParameter(cmd, "@uroles", System.Data.DbType.String, 500);
        db.SetParameterValue(cmd, "@uroles", null);

        db.AddInParameter(cmd, "@umenu", System.Data.DbType.Int16);
        db.SetParameterValue(cmd, "@umenu", null);

        db.AddInParameter(cmd, "@ustatus", System.Data.DbType.String, 1);
        db.SetParameterValue(cmd, "@ustatus", null);

        db.AddInParameter(cmd, "@reqType", System.Data.DbType.String, 1);
        db.SetParameterValue(cmd, "@reqType", "R");

        db.AddOutParameter(cmd, "@retval", DbType.Int16, 2);

        IDataReader reader = db.ExecuteReader(cmd);

        System.Collections.ArrayList roleList = new System.Collections.ArrayList();
        if (reader.Read())
        {
            roleList.Add(reader[0]);
            string myRoles = (string)roleList[0];
            //Read user name
            string uname = (string)reader[1];
            //Read User menu ID
            int menuID = Convert.ToInt16(reader[2]);

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, txtUsername.Text, DateTime.Now,
            DateTime.Now.AddMinutes(30), true, myRoles, FormsAuthentication.FormsCookiePath);

            //Read user full name in session variable which will be shared across the whole application
            Session["uid"] = txtUsername.Text;
            Session["ufullname"] = uname; //myname; //uname;
            Session["branch"] = 1;

            //For security reasons we may hash the cookies
            string hashCookies = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);

            // add the cookie to user browser
            Response.Cookies.Add(cookie);

            //Constructing Menu according to User Role
            string x = buildmenu(menuID);

            Globals.menuString = null;
            Globals.menuString = x;

            string returnURL = "~/Main.aspx";

            //Close reader object to avoid Connection Pooling troubles
            reader.Close();

            if (Request.QueryString["rUrl"] != null)
                Response.Redirect(Request.QueryString["rUrl"]);
            else
                Response.Redirect(returnURL);
        }
        else
        {
            //Validation Error here...
            lblError.Text = "Incorrect UserID/Password entered...";
            return;
        }
    }
    else
    {
        lblError.Text = "Incorrect UserID/Password entered...";
        return;
   }
}

Here is my code behind where i am checking formauthentication ticket

if (!HttpContext.Current.User.Identity.IsAuthenticated || !HttpContext.Current.User.IsInRole("Maker"))
    Response.Redirect("~/Default.aspx");

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

七禾 2024-10-21 08:55:52

如果没有您的登录/身份验证代码，则很难确定您如何进行设置。

您可能应该做的第一件事是将会话/cookie 超时设置为会话过期时间 + 1 分钟（例如 21 分钟）

然后您可以编写一个 HttpModule 来检查超时并重定向

public class ExpireModule : IHttpModule {

    public virtual void Init(HttpApplication app) {
        app.PostAuthenticateRequest += new EventHandler(app_PostAuthenticateRequest);
    }

    private void app_PostAuthenticateRequest(object sender, EventArgs e) {
        //check ticket
        //if old, kill login, redirect to session timeout page
    }
}

或者执行以下操作共享基页中的相同内容（如果有）

通过将会话超时设置为 21 分钟，您可以使用所有标准身份验证代码

Without your login/auth code it is hard to determine how you have things setup.

The first thing you should probably do, is set the session/cookie timeout to be session expire time + 1 minute (eg 21 minutes)

Then you can either write a HttpModule to check the timeout and redirect

public class ExpireModule : IHttpModule {

    public virtual void Init(HttpApplication app) {
        app.PostAuthenticateRequest += new EventHandler(app_PostAuthenticateRequest);
    }

    private void app_PostAuthenticateRequest(object sender, EventArgs e) {
        //check ticket
        //if old, kill login, redirect to session timeout page
    }
}

Or do the same thing in a shared base page (if you have one)

By making the session timeout 21 minutes, you can use all the standard auth code

回复收藏 0 原文

氛圍 2024-10-21 08:55:52

要设置用户未授权时打开的默认页面，请设置loginUrl。

另外，不要忘记检查 slidingExpiration 是否未设置为 false！

<forms
    name=".ASPXFORMSAUTH"
    loginUrl="Default.aspx"
    defaultUrl="Default.aspx"
    slidingExpiration="true"
    timeout="30" />

MSDN

要检查超时是否结束，请使用 Global.asax 事件Application_BeginRequest：

public class Global : HttpApplication
{   
    protected virtual void Application_BeginRequest(object sender, EventArgs e)
    {
        if (!his.User.Identity.IsAuthenticated)
            this.Response.Redirect("Timeout.aspx");
    }    
}

To set default page to be opened when user is not authorized, set loginUrl.

Also don't forget to check that slidingExpiration is not set to false!

<forms
    name=".ASPXFORMSAUTH"
    loginUrl="Default.aspx"
    defaultUrl="Default.aspx"
    slidingExpiration="true"
    timeout="30" />

MSDN

To check does timeout came to the end, use Global.asax event Application_BeginRequest:

public class Global : HttpApplication
{   
    protected virtual void Application_BeginRequest(object sender, EventArgs e)
    {
        if (!his.User.Identity.IsAuthenticated)
            this.Response.Redirect("Timeout.aspx");
    }    
}

回复收藏 0 原文

~没有更多了~