我使用以下cookie启动:
app.UseCookieAuthentication(new CookieAuthenticationoptions { SlidingExpiration = true,ExpireTimeSpan = System.TimeSpan.FromDays(30),AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,LoginPath = new PathString("/My/Login"),CookieName = "MyLoginCookie",Provider = new CookieAuthenticationProvider { OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager,ApplicationUser>( validateInterval: TimeSpan.FromMinutes(30),regenerateIdentity: (manager,user) => user.GenerateUserIdentityAsync(manager)) } });
这在整体上,工作正常。 cookie设置30天,因此,一切看起来不错。
如果我关闭浏览器,并在“validateInterval”持续时间过后回来(30分钟这里)我仍然登录,但是cookie现在重新发布为“会话”(正确的cookie名称仍然)! 30天的过期失效。
我已经测试删除“提供程序”和所有的工作,如预期那样,我可以回来几个小时后,我仍然登录罚款。
我读到,最好的做法是使用邮票重新验证,虽然,所以我不确定如何继续。
解决方法
这里是一种使登录持久化,甚至跨身份再生操作的方法。此描述基于使用Visual Studio MVC ASP.NET Web项目模板。
首先,我们需要有一种方法来跟踪登录会话在不同HTTP请求之间持久的事实。这可以通过向用户的身份添加“IsPersistent”声明来完成。以下扩展方法显示了一种方法。
public static class ClaimsIdentityExtensions { private const string PersistentLoginClaimType = "PersistentLogin"; public static bool GetIsPersistent(this System.Security.Claims.ClaimsIdentity identity) { return identity.Claims.FirstOrDefault(c => c.Type == PersistentLoginClaimType) != null; } public static void SetIsPersistent(this System.Security.Claims.ClaimsIdentity identity,bool isPersistent) { var claim = identity.Claims.FirstOrDefault(c => c.Type == PersistentLoginClaimType); if (isPersistent) { if (claim == null) { identity.AddClaim(new System.Security.Claims.Claim(PersistentLoginClaimType,Boolean.TrueString)); } } else if (claim != null) { identity.RemoveClaim(claim); } } }
接下来,当用户登录请求持久会话时,我们需要做出“IsPersistent”声明。例如,您的ApplicationUser类可能有一个GenerateUserIdentityAsync方法,可以更新为采用isPersistent标志参数,如下所示在需要时提出此类声明:
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager,bool isPersistent) { var userIdentity = await manager.CreateIdentityAsync(this,DefaultAuthenticationTypes.ApplicationCookie); userIdentity.SetIsPersistent(isPersistent); return userIdentity; }
ApplicationUser.GenerateUserIdentityAsync的任何调用者现在都需要传入isPersistent标志。例如,在AccountController.SignInAsync中对GenerateUserIdentityAsync的调用将从
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent },await user.GenerateUserIdentityAsync(UserManager));
至
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent },await user.GenerateUserIdentityAsync(UserManager,isPersistent));
最后,在Startup.ConfigureAuth方法中使用的CookieAuthenticationProvider.OnValidateIdentity委托需要注意在标识重新生成操作中保留持久性细节。默认委托如下所示:
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager,ApplicationUser>( validateInterval: TimeSpan.FromMinutes(20),user) => user.GenerateUserIdentityAsync(manager))
这可以更改为:
OnValidateIdentity = async (context) =>
{
await SecurityStampValidator.OnValidateIdentity<ApplicationUserManager,ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(20),// Note that if identity is regenerated in the same HTTP request as a logoff attempt,// the logoff attempt will have no effect and the user will remain logged in.
// See https://aspnetidentity.codeplex.com/workitem/1962
regenerateIdentity: (manager,user) =>
user.GenerateUserIdentityAsync(manager,context.Identity.GetIsPersistent())
)(context);
// If identity was regenerated by the stamp validator,// AuthenticationResponseGrant.Properties.IsPersistent will default to false,leading
// to a non-persistent login session. If the validated identity made a claim of being
// persistent,set the IsPersistent flag to true so the application cookie won't expire
// at the end of the browser session.
var newResponseGrant = context.OwinContext.Authentication.AuthenticationResponseGrant;
if (newResponseGrant != null)
{
newResponseGrant.Properties.IsPersistent = context.Identity.GetIsPersistent();
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
