我正在使用ASP.Net身份验证来控制我的应用程序授权,我需要在指定的几分钟不活动后终止用户会话,我试图通过执行以下方法来解决这个问题
public void ConfigureAuth(IAppBuilder app) {
app.CreatePerOwinContext<UserStore>(() => new UserStore());
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login"),
LogoutPath = new PathString("/logout"),
CookieDomain = ConfigurationManager.AppSettings["CookieDomain"],
Provider = new CookieAuthenticationProvider {
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(2),
regenerateIdentity: (manager, user) => manager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie)
)
},
SlidingExpiration = true,
});
}
我也试过这个方法
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/login"),
LogoutPath = new PathString("/logout"),
CookieDomain = ConfigurationManager.AppSettings["CookieDomain"],
ExpireTimeSpan = TimeSpan.FromMinutes(2),
SlidingExpiration = true,
});
使用那些aproches用户cookie会话在2分钟后过期,无论用户是否在站点中处于活动状态。我在文档中读到,通过设置SlidingExpiration = true
,可以在ExpireTimeSpan中途的任何请求中重新发出cookie。例如,如果用户登录并在16分钟后再发出第二个请求,则会再次发出cookie 30分钟。如果用户登录,然后在31分钟后发出第二个请求,则会提示用户登录。
我不知道为什么它不起作用,有什么想法?
答案 0 :(得分:0)
要清楚:CookieHandler正在检查直到cookie过期的剩余时间是否小于自发出问题(意味着它已过期一半)之前经过的时间,然后才请求刷新。这在Microsoft.AspNetCore.Authentication.Cookies的dll中。
就个人而言,我希望可以选择一个选项来更改经过的百分比。当您使用较小的超时(15分钟或更短的时间)来获得更安全的应用程序时,仅在闲置7分钟后才使用户超时,这是因为cookie在它们处于活动状态的前6分钟从未刷新过,这非常令人讨厌。
也许添加一个选项来使用剩余时间跨度检查而不是常数。例如,当Cookie剩余的时间少于{TimeSpan}时,发出刷新请求。
private void CheckForRefresh(AuthenticationTicket ticket)
{
DateTimeOffset utcNow = this.get_Clock().get_UtcNow();
DateTimeOffset? issuedUtc = ticket.get_Properties().get_IssuedUtc();
DateTimeOffset? expiresUtc = ticket.get_Properties().get_ExpiresUtc();
bool? allowRefresh = ticket.get_Properties().get_AllowRefresh();
bool flag = !allowRefresh.HasValue || allowRefresh.GetValueOrDefault();
if (((!issuedUtc.HasValue || !expiresUtc.HasValue ? 0 : (this.get_Options().SlidingExpiration ? 1 : 0)) & (flag ? 1 : 0)) == 0)
return;
TimeSpan timeSpan = utcNow.Subtract(issuedUtc.Value);
if (!(expiresUtc.Value.Subtract(utcNow) < timeSpan))
return;
this.RequestRefresh(ticket);
}
答案 1 :(得分:0)
我怀疑问题是尽管SlidingExpiration为true,刷新行为仍受到抑制。查看Katana源代码,CookieAuthenticationHandler类,AuthenticateCoreAsync()方法,我们看到:
bool? allowRefresh = ticket.Properties.AllowRefresh;
if (issuedUtc != null && expiresUtc != null && Options.SlidingExpiration
&& (!allowRefresh.HasValue || allowRefresh.Value))
{
TimeSpan timeElapsed = currentUtc.Subtract(issuedUtc.Value);
TimeSpan timeRemaining = expiresUtc.Value.Subtract(currentUtc);
if (timeRemaining < timeElapsed)
{
_shouldRenew = true;
_renewIssuedUtc = currentUtc;
TimeSpan timeSpan = expiresUtc.Value.Subtract(issuedUtc.Value);
_renewExpiresUtc = currentUtc.Add(timeSpan);
}
}
即仅当ticket.Properties.AllowRefresh为null或true时,刷新才会发生,并且根据您使用的中间件的不同,可以将其设置为false。例如。在OpenIdConnectAuthenticationHandler和WsFederationAuthenticationHandler中,我们有这个...
private ClaimsPrincipal ValidateToken(...)
{
...
if (Options.UseTokenLifetime)
{
// Override any session persistence to match the token lifetime.
DateTime issued = jwt.ValidFrom;
if (issued != DateTime.MinValue)
{
properties.IssuedUtc = issued.ToUniversalTime();
}
DateTime expires = jwt.ValidTo;
if (expires != DateTime.MinValue)
{
properties.ExpiresUtc = expires.ToUniversalTime();
}
properties.AllowRefresh = false;
}
}
请注意UseTokenLifetime默认为true。因此,deault行为是使用从IdP服务器获得的身份验证令牌中的有效时间,并在达到该有效时间时结束会话,而不管用户是否处于活动状态。