如何在 ASP.NET 站点上的会话过期后处理回发?
我有一个简单的 ASP.NET 4 网站。我正在使用表单身份验证。我将会话超时设置为 20 分钟。此外,当用户进行身份验证时,我将 AuthenticationTicket 设置为在 20 分钟后过期。所以通常情况下一切正常。如果超过 20 分钟不活动,并且用户请求网站上的页面,他们将被重定向回登录页面,正如我所期望的那样。
但是,假设用户位于包含表单的页面上。然后他们等了25分钟。然后他们去提交表格。该站点没有被重定向回登录页面,而是尝试回发,我立即收到错误,因为回发中有代码尝试从会话中获取信息。
如果 AuthenticationTicket 和 Session 已过期,ASP.NET 似乎不会在回发时重定向回登录。我该如何处理这个问题?我希望我不必在每个页面上编写特殊的代码。
添加:web.config 代码
<location path="ForgotLogin.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Corey
I have a simple ASP.NET 4 site. I am using Forms Authentication. I have Session timeout set to 20 minutes. Also when the user authenticates I set the AuthenticationTicket to expire in 20 minutes. So normally everything works fine. If there is more than 20 minutes of inactivity and the user requests a page on the site they are redirected back to the Login page as I would expect.
However, let's say that the user is on a page that contains a form. Then they wait 25 minutes. Then they go to submit the form. Instead of being redirected back to the Login page, the site attempts the postback and I immediately get errors because there is code in the postback that attempts to get information out of Session.
It seems like ASP.NET does not redirect back to Login on postback if the AuthenticationTicket and Session has expired. How can I handle this? I hope I don't have to write special code on each page.
ADDED: web.config code
<location path="ForgotLogin.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Corey
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我认为您的会话和身份验证 cookie 有不同的超时。您描述的情况听起来像是会话超时,但身份验证 cookie 仍然有效。请参阅这篇文章。特别是用户的身份验证令牌与其会话之间是否存在依赖关系?部分适合您的情况。
I think you have different timeouts for your session and your authentication cookie. The situation you describe sounds like a session that is timed out with an authentication cookie that is still valid. Look at this article. Especially the section Do you have a dependency between the user's authentication token and his session? is for your situation.
如果您没有在会话过期时明确对页面进行超时检查,则确实需要检查每个页面。
创建一个基类,每个页面都继承Page。在该类的页面加载事件中,检查 Session.IsNew。您还可以检查其他几项内容,以完全确定会话已过期。
You do need to check on each page if you are not explicitly timing the pages out when the session expires.
Make a base class each page inherits Page from. In the page load event in that class, check for Session.IsNew. There are a couple other things you can check to be totally sure the session has expired.
我不认为这是一个身份验证问题。您可以通过身份验证并使会话过期。
他们的行为彼此独立。
您在会话中存储什么样的信息?
如果此信息适用于页面,我建议将其保留在 ViewState 或 ControlState 中。如果您保留与用户相关的信息。我将创建一个 IHttpModule,以便每当经过身份验证的用户调用您的网站并且您的会话值为空时,您都可以在用户点击任何页面之前重新创建它们。
I don't think this is an authentication issue. You can be authenticated and have the session expire.
They behave independently from each other.
What kind of information are you storing in session?
If this information is for the page I would recomend keeping it in the ViewState or ControlState. If you are keeping information related to the user. I would create an IHttpModule so whenever an Authenticated user calls your website and your session values are null you recreate them before the user hits any page.