使用无 Cookie 会话时如何正确处理表单身份验证票证
我很确定我没有遇到独特的问题,但我已经在谷歌和这个网站上进行了搜索,但我还没有找到我正在寻找的可靠答案。因此,我想解释一下自己,看看我是否能在这个问题上获得任何帮助:
我们(我的同事和我)确定我们需要无 cookie 的会话,因为我们的用户需要多个会话才能以更快速的方式完成他们的工作。富有成效的时尚。
示例
Bob 用户可能在窗口 A 中启动了一个长时间运行的进程,为了继续工作,Bob 将打开窗口 B,该窗口会生成一个新会话。为了不干扰窗口 A 中正在发生的事情,这是必要的。每次 Bob 打开新窗口时,他都必须重新登录。
问题
我不太确定这是否是一个真正的问题,因此我有理由问。我认为我发现的问题是每次 Bob 登录时,当前的表单身份验证票证(和 Cookie)都会被覆盖。现在我不明白这是怎么回事,也不明白为什么在鲍勃第二次登录后,之前的会话/窗口组合仍然有效。由于票证被覆盖,这是否意味着第一个会话/窗口组合应该结束,因为票证不再有效?这是关于:
Request.IsAuthenticated //Making sure the supplied ticket is valid
问题
既然表单身份验证票证(和 Cookie)被覆盖,这意味着什么?
- 我是否应该担心票证(和 Cookie)被覆盖?
在登录期间,我是否应该拦截票证(如果有)并检查其是否过期?如果它没有过期,我应该尝试续签还是重新制作一张新票?
FormsAuthentication.RenewTicketIfOld(ticket) //只是一个例子如果我使用无 cookie 会话,我是否也应该使用无 cookie 表单身份验证?这样做的目的是使每个会话/窗口 100% 彼此独立。不会再发生覆盖写入的情况。这有什么缺点吗?我想不出任何办法。
PS:我知道 cookie 只是一个容器,用于存储其中的内容,例如键值对。
附加信息...
表单身份验证票证:
IsPersistent 设置为 true
票证版本 2
表单 Cookie:
Key = FormsCookieName(来自 web.config 标记)
值 = 哈希票证
Web.Config:
<sessionState
cookieless="true"
mode="SQLServer"
sqlConnectionString="..."
timeout="300"
regenerateExpiredSessionId="true" />
<forms name="FormsCookieName"
path="../"
loginUrl="Login.aspx"
protection="All"
timeout="300"
slidingExpiration="true" >
</forms>
I am pretty sure I do not have a unique problem, but I have searched all over google and this site and I haven't found a solid answer for what I am looking for. So I wanted to explain myself to see if I could get any help on this issue:
We (my co-workers and I) determined that we need have cookie-less Sessions because our users require multiple sessions to get their work done in a more productive fashion.
Example
Bob the user could have initiated a long running process in window A and in order to continue working Bob will open window B which spawns a new session. This is necessary in order to not disturb what is going on in window A. Every time Bob opens a new window, he has to log in again.
The Problem
I am not really sure if this is a real problem or not, hence my reason for asking. The problem I think I have discovered is that each time Bob logs in, the current Forms Authentication Ticket (and Cookie) are over-written. Now I do not understand how this is okay or why the previous Session/Window combo is still valid after Bob logs in a second time. Since the ticket was over-written doesn't that mean the first Session/Window combo should end because the ticket is no longer valid? This is with respect to:
Request.IsAuthenticated //Making sure the supplied ticket is valid
Questions
So since the Forms Authentication Ticket (and Cookie) are being over written, what does this mean?
- Should I be concerned that the ticket (and Cookie) are being over written?
During login, should I be intercepting the ticket (if any) and checking for its expiration? If it is not expired should I try to renew the ticket or just make a new one?
FormsAuthentication.RenewTicketIfOld(ticket) //Just an exampleIf I am using a cookie-less session should I just use cookie-less Forms Authentication too? The point of doing this would be to make each Session/Window 100% independent of each other. No over-writing would occur anymore. Is there a draw back to this? I can't think of any.
PS: I know the cookie is just a container for what ever is being stored in it, like a Key Value pair.
Additonal Info...
Forms Authentication Ticket:
IsPersistent set to true
Ticket Version 2
Forms Cookie:
Key = FormsCookieName (from web.config tag)
Value = Hashed Ticket
Web.Config:
<sessionState
cookieless="true"
mode="SQLServer"
sqlConnectionString="..."
timeout="300"
regenerateExpiredSessionId="true" />
<forms name="FormsCookieName"
path="../"
loginUrl="Login.aspx"
protection="All"
timeout="300"
slidingExpiration="true" >
</forms>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论