如何在asp.net中设置会话超时和会话空闲超时

I have a simple question but not able to find solution to it. I have set session timeout of the application in the web.config as :

我有一个简单的问题,但无法找到解决方案。我在web.config中将应用程序的会话超时设置为:

  <sessionState timeout="30" mode="InProc"/>

and its working fine but now I got the requirement that if the user is idle that is, he is not performing any action on the page for one minute his session should get expired. I tried to do it using form authentication as :

并且它的工作正常,但现在我得到了如果用户空闲的要求,他没有在页面上执行任何操作一分钟他的会话应该过期。我尝试使用表单身份验证来执行此操作:

<authentication mode="Forms">
      <forms loginUrl="~/Login.aspx" timeout="1"  slidingExpiration ="false" defaultUrl="login.aspx"/>
    </authentication>

But its now working. Any help would be appreciated.

但它现在正在努力。任何帮助,将不胜感激。

1 个解决方案

#1

If I have understood the question correctly (see comments by OP) then the problem is that OP wants both slidingExpiration and absoluteExpiration to be active, but with separate timeouts.

如果我正确地理解了这个问题(参见OP的评论)那么问题是OP希望slidingExpiration和absoluteExpiration都是活动的,但具有单独的超时。

This would enable the system require a user to log back in after a certain time of idling, and to require a user to log back in after a different time even if the user was not idling.

这将使系统能够要求用户在空闲一定时间之后重新登录,并且要求用户在不同的时间之后重新登录,即使用户没有空闲。

Unfortunately this is not supported out of the box using forms authentication. You have to choose either sliding or absolute expiration. Or you have to build a workaround yourself.

不幸的是,使用表单身份验证不支持开箱即用。您必须选择滑动或绝对过期。或者您必须自己构建一个变通方法。

You can use a very simple work around by:

您可以通过以下方式使用非常简单的工作:

Setting the timeout of the session longer than the corresponding forms authentication timeout, and also longer than the desired absolute timeout:

将会话超时设置为超过相应的表单身份验证超时,并且还超过所需的绝对超时:
```
<sessionState timeout="35" mode="InProc"/>
```
Set forms authentication to use slidingExpiration = true

设置表单身份验证以使用slidingExpiration = true
Create a user logged in timestamp in the session whenever a user logs in:

每当用户登录时,在会话中创建用户登录的时间戳:
```
Session["userLoggedInAt"] = DateTime.UtcNow;
```

Add an Application_PostAcquireRequestState method to Global.asax:

将Application_PostAcquireRequestState方法添加到Global.asax:

void Application_PostAcquireRequestState(object sender, EventArgs e)
{
    HttpContext context = ((HttpApplication)sender).Context;
    if (context.Session != null && context.User.Identity.IsAuthenticated)
    {
        bool forceLogout = false;
        if (context.Session["userLoggedInAt"] == null)
            forceLogout = true;
        else if (!(context.Session["userLoggedInAt"] is DateTime))
            forceLogout = true;
        else if (DateTime.UtcNow > ((DateTime)context.Session["userLoggedInAt"]).AddMinutes(30))
            forceLogout = true;

        if (forceLogout)
        {
            FormsAuthentication.SignOut();
            FormsAuthentication.RedirectToLoginPage();
        }
    }
}

Disclaimer: Code above was hacked together quickly, may not be fool proof...

免责声明:上面的代码很快被黑客攻击,可能不是万无一失的......

Notes:

Setting sliding expiration to timeout after 1 minute seems excessively paranoid. Even a fast user will not be able to finish any significant work in the application during that time. Even my web bank has a longer idle timeout that that. I would recommend a minimum of 5-10 minutes.

将滑动到期设置为1分钟后超时似乎过于偏执。即使是快速用户也无法在此期间完成应用程序中的任何重要工作。甚至我的网上银行也有更长的空闲超时。我建议至少5-10分钟。

Sliding expiration in forms authentication has an interesting feature: The sliding happens by updating the authentication cookie, moving the expiration date forward when the user is active. But this only happens when at least half the expiration time has passed. If you want to guarantee that a user can be idle for 10 minutes without getting logged out, you must therefore set the timeout to be 20 minutes.

表单身份验证中的滑动过期具有一个有趣的功能:通过更新身份验证cookie,在用户处于活动状态时向前移动过期日期来进行滑动。但这只发生在至少一半的到期时间过去之后。如果要保证用户可以空闲10分钟而不退出,则必须将超时设置为20分钟。

#1