保持用户登录 - FormsAuthentication

Question

我正在努力解决这个问题.我正在使用FormAuthentication.当用户登录并且他们检查记住我时,我希望用户保持登录24小时.问题是,无论我做什么,用户都会在30分钟后自动注销.我们用户选择了记住我,我设置了一个持久性cookie,24小时后到期.我可以在浏览器选项中看到cookie,并且过期是正确的.如果我离开网站并回去说一个小时.用户已注销......他是我所拥有的一些代码片段.

bool IsValid = Membership.ValidateUser(LoginControl.UserName, LoginControl.Password);

if (IsValid)
{
    e.Authenticated = true;

    if (LoginControl.RememberMeSet)
    {
        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(LoginControl.UserName, true, 1440); // 1 day
        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
        HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
        cookie.Expires = authTicket.Expiration;
        HttpContext.Current.Response.Cookies.Set(cookie);
        Response.Redirect(FormsAuthentication.GetRedirectUrl(LoginControl.UserName, true), true);
        FormsAuthentication.SetAuthCookie(LoginControl.UserName, true);
        FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, true);
    }
    else
    {
        FormsAuthentication.SetAuthCookie(LoginControl.UserName, false);
        FormsAuthentication.RedirectFromLoginPage(LoginControl.UserName, false);
    }
}

这是我的web.config

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login.aspx" defaultUrl="/" timeout="1" cookieless="UseCookies"  protection="All" slidingExpiration="true" ticketCompatibilityMode="Framework40"/>
</authentication>

当用户没有检查记住我时,我设置了一个非持久性cookie,并且在1分钟不活动后用户注销.这是正常的.问题是当设置了记住cookie并且用户返回时,即使存在cookie,用户也不再登录.

Answer 1

在web.config中设置以下会话状态超时.默认情况下,会话超时为20分钟.

<system.web>
   ...
   <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="1440" />
   </authentication>
   ...  
   <sessionState timeout="1440"/>
   ...
</system.web>

解

如果用户检查记住我,请使用默认票证设置设置验证cookie.否则,请自己创建AuthenticationTicket.

string username = LoginControl.UserName;

if (LoginControl.RememberMeSet)
{
    FormsAuthentication.SetAuthCookie(username, true);
    FormsAuthentication.RedirectFromLoginPage(username, true);
}
else
{
    var authTicket = new FormsAuthenticationTicket(username, true, 1);
    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
        encryptedTicket)
    {
        HttpOnly = true,
        Secure = FormsAuthentication.RequireSSL,
        Path = FormsAuthentication.FormsCookiePath,
        Domain = FormsAuthentication.CookieDomain,
        Expires = authTicket.Expiration
    };
    Response.Cookies.Set(cookie);

    // ***** Here is the fix *****
    // Do not use FormsAuthentication.SetAuthCookie or RedirectFromLoginPage
    // if you create own FormsAuthenticationTicket.
    Response.Redirect("~/default.aspx");
}

测试

protected void Page_Load(object sender, EventArgs e)
{
    if (User.Identity.IsAuthenticated)
    {
        var sb = new StringBuilder();
        var id = (FormsIdentity) User.Identity;
        var ticket = id.Ticket;
        sb.Append("Authenticated");
        sb.Append("<br/>CookiePath: " + ticket.CookiePath);
        sb.Append("<br/>Expiration: " + ticket.Expiration);
        sb.Append("<br/>Expired: " + ticket.Expired);
        sb.Append("<br/>IsPersistent: " + ticket.IsPersistent);
        sb.Append("<br/>IssueDate: " + ticket.IssueDate);
        sb.Append("<br/>Name: " + ticket.Name);
        sb.Append("<br/>UserData: " + ticket.UserData);
        sb.Append("<br/>Version: " + ticket.Version);
        Label1.Text = sb.ToString();
    }
    else
        Label1.Text = "Not Authenticated";
}

说实话,Session和Authentication Cookie超时1分钟太低了,但这取决于你.

另外,请在web.config中注明您自己创建AuthenticationTicket.调试代码的下一个人肯定会欣赏它.

问题(更新)

如果我们自己创建FormsAuthenticationTicket,我们不应该使用FormsAuthentication.RedirectFromLoginPage,它将覆盖我们的自定义过期日期并使用web.config中的日期.