我应该在 LogOff 方法中使用 Session.Abandon() 吗?
我正在使用的技术:
- MVC v2
- 表单身份验证(滑动到期)
- 会话状态服务器
- 自定义授权属性
我正在为我的 mvc 应用程序使用状态服务器进程。在测试过程中,当经过身份验证的用户单击“注销”按钮时,它会正确地将他们带到身份验证屏幕,并在成功输入凭据后将他们重新登录。但是,它会找到他们之前的会话变量状态,而不是重新加载我授予他们的任何新权限。这是由于我在以下代码中加载用户的方式所致:
public override void OnAuthorization(AuthorizationContext filterContext) {
if (filterContext == null)
throw new ArgumentNullException("FilterContext");
if (AuthorizeCore(filterContext.HttpContext)) {
IUser customUser = filterContext.HttpContext.Session["CustomUser"] as IUser;
if ((customUser == null) || (customUser.Name != filterContext.HttpContext.User.Identity.Name)) {
customUser = new User(filterContext.HttpContext.User.Identity.Name,
filterContext.HttpContext.User.Identity.IsAuthenticated);
}
if (_privileges.Length > 0) {
if (!customUser.HasAtLeastOnePrivilege(_privileges))
filterContext.Result = new ViewResult { ViewName = "AccessDenied" };
}
filterContext.HttpContext.Session["CustomUser"] = customUser;
}
}
因此,您可以看到我将我的 customUser 存储在 Session 中,该值就是原来的值从上一个会话中获取,即使用户已在之间注销(但在滑动过期窗口内重新登录。
所以,我的问题是,我应该在我的会话中放置一个简单的 Session.Abandon() 调用吗? AccountController 中的 LogOff 方法,或者是否有更干净、更有利的方法来处理这个问题?
Technologies I'm Using:
- MVC v2
- Forms Authentication (Sliding Expiration)
- Session State Server
- Custom Authorization Attribute
I'm using the state server process for my mvc app. During testing, when an authenticated user would click the "LogOff" button, it would correctly take them to the authentication screen, and upon successful credential entering, would log them back in. BUT, it would find their prior session variable state, and NOT reload any new permissions I'd given them. This is due to how I'm loading a user in the following code:
public override void OnAuthorization(AuthorizationContext filterContext) {
if (filterContext == null)
throw new ArgumentNullException("FilterContext");
if (AuthorizeCore(filterContext.HttpContext)) {
IUser customUser = filterContext.HttpContext.Session["CustomUser"] as IUser;
if ((customUser == null) || (customUser.Name != filterContext.HttpContext.User.Identity.Name)) {
customUser = new User(filterContext.HttpContext.User.Identity.Name,
filterContext.HttpContext.User.Identity.IsAuthenticated);
}
if (_privileges.Length > 0) {
if (!customUser.HasAtLeastOnePrivilege(_privileges))
filterContext.Result = new ViewResult { ViewName = "AccessDenied" };
}
filterContext.HttpContext.Session["CustomUser"] = customUser;
}
}
So, you can see I'm storing my customUser in the Session and that value is what was fetched from the prior session even though the user had logged off between (but logged back on within the sliding expiration window.
So, my question is, should I place a simple Session.Abandon() call in my LogOff method in the AccountController, or is there a cleaner more advantageous way of handling this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
通常
Session.Clear()应该足够了,可以删除会话中存储的所有值。Session.Abandon()结束当前会话。它还可能会触发 Session_End,而下一个请求将触发 Session_Start。Normally
Session.Clear()should be enough and remove all values that have been stored in the session.Session.Abandon()ends the current session. It might also fire Session_End and the next request will fire Session_Start.