IIS 7 中的会话超时如何工作?
在 web.config 中,我将 sessionState 中的超时设置为 20 分钟。根据 MSDN,此超时指定会话在被放弃之前可以空闲的分钟数。在 IIS 7 中,DefaultWebSite->Session State->Cookie Settings->Time Out 会自动填充 web.config 中设置的超时值,在我的例子中为 20 分钟。另外,应用程序池->DefaultAppPool->高级设置->idleTimeout,我设置为10分钟。
然后我做了两个测试: 第一次测试:我在下午 3:45 登录我的网络应用程序,空闲了 10 分钟。下午 3:55,我尝试使用我的应用程序,但被踢出了。我认为idleTimeout发挥了作用。
第二次测试:我在下午 4:00 登录我的网络应用程序,并在下午 4:05、4:10、4:15 和 4:20 玩该应用程序。我预计下午 4:20 就会被赶出去。但我不是。我认为 IIS 7 中的会话状态超时(20 分钟)是 Web 代理要求用户重新进行身份验证之前用户会话可以处于活动状态的最长时间。从这次测试来看,显然不是。谁能向我解释一下吗?另外,我如何设置上述情况的超时?
In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
Then I made two tests:
First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
会话超时是一种滑动超时,用户每次访问服务器时都会将其重置为配置的值。
如果在一段时间内没有向您的应用程序发出任何请求,则应用程序空闲超时将启动。
因此,通常的场景是:
12:0212:1012:1512:2212:3212:35如果用户 A 在 12:22 之后返回站点,他们将拥有一个全新的会话,并且您可以设置任何值以前存储在那里的将会丢失。
确保会话在应用程序重新启动后持续存在的唯一方法是配置 SessionState 服务或 SQL 会话状态,并确保您已 配置 machine.key,以便每次服务器重新启动时不会自动生成。
如果您使用标准 ASP.NET 机制进行身份验证,则 ASP.NET 将向每个用户发出两个 cookie:
这两个 cookie 均使用 MachineKey 进行加密 - 因此,如果您的应用程序回收并生成新密钥,则这些令牌都无法解密,从而需要用户登录并创建新会话。
回复评论:
Session.Add(string, object)方法。Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.
The Application Idle time-out kicks in if there have been no requests to your application for that period of time.
The usual scenarios is therefore:
12:0012:0212:1012:1512:2212:3212:35If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.
The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.
If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:
Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.
Responding to comments:
Session.Add(string, object)method.