我使用的是Asp.net身份会员资格。这是我的代码:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ExpireTimeSpan = TimeSpan.FromMinutes(45),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
validateInterval: TimeSpan.FromSeconds(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
正如您所看到的,ExpireTimeSpan设置为45分钟,但在登录后,如果他没有发出任何http请求,用户可以在十分钟内快速注销。当我检查检查元素时,我看到以下内容: 登录后:
十分钟后:
正如您所见,AspNet.ApplicationCookie已被_RequestVerificationToken取代,但会话ID仍然存在。