When a user is authenticated to a web application, a token in session will be stored. If the admin deletes the user in the back end when the user is still online. how to clear the user's session?
当用户被验证为web应用程序时,会话中的一个令牌将被存储。如果管理员在用户仍然在线时在后端删除用户。如何清除用户会话?
4 个解决方案
#1
1
Short answer: you can't do this easily. Let the session expire, and the user won't be able to subsequently login.
简短的回答:你不可能轻易做到这一点。让会话过期,用户将无法随后登录。
Long answer: if this functionality is really important to you, then you will have to check the database with each request to ensure that the user hasn't been deleted since they logged in. This somewhat defeats the purpose of storing user information in session, although the call to the database can be a simple boolean check (i.e. "is the user still valid/active").
长话短说:如果这个功能对您来说真的很重要,那么您必须在每个请求中检查数据库,以确保用户登录后没有被删除。这在一定程度上违背了在会话中存储用户信息的目的,尽管对数据库的调用可以是一个简单的布尔检查(例如。“用户是否仍然有效/活跃”)。
Can't I just remove the user's session? It doesn't appear to be possible to locate/manipulate a specific session even if you have the session ID in hand. Keys and storage are managed internally by implementations of SessionStateStoreProviderBase (InProcSessionStateStore, OutOfProcSessionStateStore, SqlSessionStateStore) and aren't intended to be manipulated by developers.
我不能删除用户会话吗?即使您手上有会话ID,也不可能定位/操作特定的会话。键和存储在内部由sessionstatoreproviderbase (InProcSessionStateStore、OutOfProcSessionStateStore、SqlSessionStateStore)实现管理,不打算由开发人员操作。
#2
0
By logging out the user before delete?
在删除之前退出用户?
#3
0
Do you need to clear the session or just prevent future access to authorised pages?
您是否需要清除会话或只是防止将来访问授权页面?
If you re-authenticate or check authorisation on each http server request then the user will effectively be logged out.
如果您重新验证或检查每个http服务器请求的授权,那么用户将被有效地注销。
#4
0
Based on session Timeout and SlidingExpiration property. (thanks for @chethan). after session time out, user forced to login again from MSDN SlidingExpiration
基于会话超时和滑动过期属性。(感谢@chethan)。会话超时后,用户*再次从MSDN SlidingExpiration登录
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
如果发出了请求,并且超过一半的超时间隔已经过去,那么滑动过期将重置有效身份验证cookie的过期时间。如果cookie过期,用户必须重新验证。将SlidingExpiration属性设置为false可以通过限制验证cookie有效的时间(基于配置的超时值)来提高应用程序的安全性。
system.web>
<sessionState timeout="x minutes"/>
...
</system.web>
or else you can use AuthorizeAttribute.AuthorizeCore MethodAuthorizeCore
或者也可以使用AuthorizeAttribute。AuthorizeCore MethodAuthorizeCore
Forms Authentication Guidelines
表单验证指南
#1
1
Short answer: you can't do this easily. Let the session expire, and the user won't be able to subsequently login.
简短的回答:你不可能轻易做到这一点。让会话过期,用户将无法随后登录。
Long answer: if this functionality is really important to you, then you will have to check the database with each request to ensure that the user hasn't been deleted since they logged in. This somewhat defeats the purpose of storing user information in session, although the call to the database can be a simple boolean check (i.e. "is the user still valid/active").
长话短说:如果这个功能对您来说真的很重要,那么您必须在每个请求中检查数据库,以确保用户登录后没有被删除。这在一定程度上违背了在会话中存储用户信息的目的,尽管对数据库的调用可以是一个简单的布尔检查(例如。“用户是否仍然有效/活跃”)。
Can't I just remove the user's session? It doesn't appear to be possible to locate/manipulate a specific session even if you have the session ID in hand. Keys and storage are managed internally by implementations of SessionStateStoreProviderBase (InProcSessionStateStore, OutOfProcSessionStateStore, SqlSessionStateStore) and aren't intended to be manipulated by developers.
我不能删除用户会话吗?即使您手上有会话ID,也不可能定位/操作特定的会话。键和存储在内部由sessionstatoreproviderbase (InProcSessionStateStore、OutOfProcSessionStateStore、SqlSessionStateStore)实现管理,不打算由开发人员操作。
#2
0
By logging out the user before delete?
在删除之前退出用户?
#3
0
Do you need to clear the session or just prevent future access to authorised pages?
您是否需要清除会话或只是防止将来访问授权页面?
If you re-authenticate or check authorisation on each http server request then the user will effectively be logged out.
如果您重新验证或检查每个http服务器请求的授权,那么用户将被有效地注销。
#4
0
Based on session Timeout and SlidingExpiration property. (thanks for @chethan). after session time out, user forced to login again from MSDN SlidingExpiration
基于会话超时和滑动过期属性。(感谢@chethan)。会话超时后,用户*再次从MSDN SlidingExpiration登录
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
如果发出了请求,并且超过一半的超时间隔已经过去,那么滑动过期将重置有效身份验证cookie的过期时间。如果cookie过期,用户必须重新验证。将SlidingExpiration属性设置为false可以通过限制验证cookie有效的时间(基于配置的超时值)来提高应用程序的安全性。
system.web>
<sessionState timeout="x minutes"/>
...
</system.web>
or else you can use AuthorizeAttribute.AuthorizeCore MethodAuthorizeCore
或者也可以使用AuthorizeAttribute。AuthorizeCore MethodAuthorizeCore
Forms Authentication Guidelines
表单验证指南