我有一个曾经无限期超时的ASP.NET MVC5应用程序,因此用户在实际点击“注销”链接之前没有注销。几周前使用Startup.Auth.cs
中的代码对此进行了更改app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/"),
ExpireTimeSpan = TimeSpan.FromMinutes(29),
SlidingExpiration =true
});
问题在于,有些用户在更改之前仍然被烹饪,但他们似乎仍然登录。有没有办法登出这些用户,而无需对应用程序进行部署更改以存储/检查额外的值。饼干?
答案 0 :(得分:0)
最好的办法是引入SecurityStamp验证。您的所有Cookie都具有可以检查的价值,而您自己并不需要做很多事情。像CookieAuthenticationProvider这样添加CookieAuthenticationOptions:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/"),
ExpireTimeSpan = TimeSpan.FromMinutes(29),
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
},
});
此SecurityStampValidator将导致Cookie每30分钟重新生成一次。您可以根据需要缩短验证间隔,但我不建议间隔太短,因为它会增加数据库的负载。我通常用10分钟。
不幸的是,您仍然需要重新部署此更改,但没有太多代码可供您编写: - )