我在Startup.cs中使用以下配置设置了ASP.Net Core 3.0 Web服务器:
public void ConfigureServices(IServiceCollection services)
{
services.AddHttpContextAccessor();
services.AddControllers();
services.AddIdentityServer(options =>
{
options.Authentication.CookieSlidingExpiration = true;
options.Authentication.CookieLifetime = TimeSpan.FromDays(30);
}
)
.AddInMemoryCaching()
.AddClientStore<InMemoryClientStore>()
.AddResourceStore<InMemoryResourcesStore>();
services.AddAuthentication();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.ConfigureExceptionHandler();
app.UseHttpsRedirection();
app.UseFileServer();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
您可以看到我将cookie的生存期设置为30天。
这是我使用用户名/密码登录时运行的代码:
[HttpGet("Signin")]
public async Task<ActionResult<AccountResponse>> Signin([FromQuery]string email, [FromQuery]string password)
{
var (account, status) = accountRepository.AuthenticateAccount(email, password);
if (status == AccountRepository.AuthenticateAccountStatusEnum.InvalidEmailPassword)
return new ResponseBuilder<AccountResponse>().WithError("Invalid email/password").Build();
else if (status == AccountRepository.AuthenticateAccountStatusEnum.AccountExternalProvider)
return new ResponseBuilder<AccountResponse>().WithError("This email is not associated with a local account.").Build();
else if (account.Status == AccountStatusEnum.WaitingForVerificationCode)
return new ResponseBuilder<AccountResponse>(Mapper.Map<AccountResponse>(account))
.WithMessage("This email address is still not verified.")
.Build();
else
return await CompleteLogin(account);
}
private async Task<AccountResponse> CompleteLogin(AccountModel account)
{
await HttpContext.SignInAsync(account.Email, account.Email, new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTime.UtcNow.AddDays(30) });
return Mapper.Map<AccountResponse>(account).WithAuthenticated();
}
您可以看到我再次将有效期设置为30天,并将IsPersistent
设置为true。
所有这些都很好。如果我登录并关闭浏览器并重新打开,则它仍已通过身份验证。
唯一的错误是,如果我登录并让时间流逝,比如说晚上,我会刷新页面并且不再进行身份验证。
我想念什么?我希望用户长时间保持身份验证(即使他关闭浏览器,重新启动等)。
这是我从浏览器中看到的cookie:
看起来还不错...请注意,该Cookie信息来自“已登出”(很奇怪?)的浏览器会话。