使用azure Ad .net core 2.0进行会话超时

时间:2017-10-31 12:25:28

标签: c# azure security asp.net-core asp.net-core-2.0

我正在尝试使用Azure广告验证.net core 2.0应用程序。我通过身份验证获得了成功。但我需要在空闲时间后进行会话超时。

请找到我的startup.cs config

配置 

        logger.AddConsole(Configuration.GetSection("Logging"));
        logger.AddDebug((category, logLevel) => (logLevel >= LogLevel.Trace));
        app.UseResponseCaching();

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseBrowserLink();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }
        app.UseStaticFiles();
        app.UseSession();
        app.UseAuthentication();

ConfigureServices 

  services.AddAuthentication(options =>
             {
                 options.DefaultScheme= CookieAuthenticationDefaults.AuthenticationScheme;
                 options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             })
             .AddOpenIdConnect(options =>
             {
                 options.ClientId = Configuration["Authentication:AzureAd:ClientId"];
                 options.Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"];
                 options.ClientSecret = Configuration["Authentication:ClientSecret"];
                 options.CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"];
                 options.ResponseType = OpenIdConnectResponseType.IdToken;
             })
             .AddCookie();

             services.AddSession(options =>
         {
             options.IdleTimeout = TimeSpan.FromMinutes(1);
             options.CookieHttpOnly = true;
         });

1 个答案:

答案 0 :(得分:0)

正如Working with Session State下的实施细则部分所述:

  

服务器使用IdleTimeout属性来确定会话在其内容被放弃之前可以空闲多长时间。 此属性独立于Cookie过期。通过会话中间件(读取或写入)的每个请求都会重置超时。

我启用了会话状态,然后在操作中设置会话值并在另一个操作中读取它们。根据我的测试,AddSession的配置会发出一个名为.AspNetCore.Session的cookie,并包含浏览器的会话ID。 IdleTimeout为1分钟,如果您读取或更新会话值,则IdleTimeout将被重置。

<强>更新

AFAIK,使用SessionOptionsservices.AddSession下没有任何SessionEvents。根据我的理解,您可以在使用cookie auth时设置Cookie过期时间,然后添加处理以删除会话值,并在Cookie无效时将注销请求发送到AAD。这是我的配置,你可以参考如下:

public void ConfigureServices(IServiceCollection services)
{
    // Add MVC services to the services container.
    services.AddMvc();

    // Add Authentication services.
    services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    })

        // Configure the OWIN pipeline to use OpenID Connect auth.
        .AddOpenIdConnect(option =>
        {
            option.ClientId = Configuration["AzureAD:ClientId"];
            option.Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]);
            option.SignedOutRedirectUri = Configuration["AzureAd:PostLogoutRedirectUri"];
            option.Events = new OpenIdConnectEvents
            {
                OnRemoteFailure = OnAuthenticationFailed,
            };
        })// Configure the OWIN pipeline to use cookie auth.
        .AddCookie(op => {
            op.ExpireTimeSpan = TimeSpan.FromMinutes(20);
            op.LoginPath = "/Account/Login";
            op.Events.OnRedirectToLogin =async(context) =>
                {   
                    //Clean the session values
                    context.HttpContext.Session.Clear();
                    //Sign-out to AAD
                    await context.HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
                    //Redirect to op.LoginPath ("/Account/Login") for logging again
                    context.Response.Redirect(context.RedirectUri);
                };
        });

    services.AddSession(options =>
    {
        options.IdleTimeout = TimeSpan.FromMinutes(20);
        options.CookieHttpOnly = true;
    });
}
相关问题
最新问题