我缺少什么?我的表单超时不会使会话超时
我有一个带有我自己的授权属性的 asp.net mvc 3 站点。当用户登录时,我会创建一个表单 Auth cookie
public void SetAuthCookie(string userName, string userData = "",int version = 1)
{
DateTime expiry = DateTime.UtcNow.AddMinutes(30);
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(version, userName, DateTime.UtcNow, expiry, false, userData, "/");
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {Path = "/"};
HttpContext.Current.Response.Cookies.Add(authCookie);
}
// AuthorizeAttribute
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
if (httpContext.User.Identity.IsAuthenticated)
{
return true;
}
return false;
}
因此,我进入我的网站登录并等待我的网站超时。然后我发出一个请求(它是一个 ajax 请求),它首先通过我的属性,并且 httpContext.User.Identity.IsAuthenticated 仍然设置为 true 即使我没有向服务器请求3分钟
<authentication mode="Forms">
<forms loginUrl="~/Account"
protection="All"
name=".MySite"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
timeout="1"
/>
</authentication>
I have an asp.net mvc 3 site that with my own authorize attribute. When a user logs in I make a form Auth cookie
public void SetAuthCookie(string userName, string userData = "",int version = 1)
{
DateTime expiry = DateTime.UtcNow.AddMinutes(30);
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(version, userName, DateTime.UtcNow, expiry, false, userData, "/");
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket) {Path = "/"};
HttpContext.Current.Response.Cookies.Add(authCookie);
}
// AuthorizeAttribute
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
if (httpContext.User.Identity.IsAuthenticated)
{
return true;
}
return false;
}
So I go to my site login and wait for my site to timeout. I then do a request(it's an ajax request) and it first goes through my attribute and httpContext.User.Identity.IsAuthenticated is still set to true even though I did not request to the server for 3 minutes
<authentication mode="Forms">
<forms loginUrl="~/Account"
protection="All"
name=".MySite"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false"
timeout="1"
/>
</authentication>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您正在创建一个超时时间为 30 分钟的 cookie:
因此您必须等待 30 分钟,此 cookie 才会失效。您在 web.config 中指定的 1 分钟超时将被忽略,因为您是手动创建 30 分钟超时的 cookie。
如果您想匹配 web.config 中的值,您可以使用以下命令:
You are creating a cookie with 30 minutes timeout:
So you must wait 30 minutes before this cookie becomes invalid. The timeout of 1 minute that you specified in your web.config is ignored because you are manually creating the cookie with a 30 minutes timeout.
If you want to match the value from your web.config you could use the following:
我同意上面的答案
以进行更详细的审查 http: //weblogs.asp.net/owscott/archive/2006/07/15/Forms-Authentication-Timeout.aspx
这可能会帮助你
I agree with above answer
for more detail review http://weblogs.asp.net/owscott/archive/2006/07/15/Forms-Authentication-Timeout.aspx
this may help you