問題描述
如果會話已過期并且用戶單擊指向另一個 Web 表單的鏈接,asp.net 身份驗證會自動將用戶重定向到登錄頁面.
但是,在某些情況下,用戶不會點擊其他網(wǎng)絡(luò)表單的鏈接.例如:在 gridviews 中編輯鏈接,當(dāng)使用帶有文本框的 AutoCompleteExtender 并且應(yīng)用程序嘗試獲取信息時,基本上,在每次回發(fā)完成并且事件不會由 asp.net 身份驗證自動處理的情況下.
處理這些異常的最佳方法是什么?
更新:我剛剛修改了問題標(biāo)題:表單身份驗證超時,而不是初始會話超時.感謝您讓我意識到這種差異.
更新:我剛剛針對我面臨的具體問題創(chuàng)建了一個新問題:如何使用 UpdatePanel 處理因身份驗證票過期而導(dǎo)致的異常?.令人驚訝的是,我沒有找到太多關(guān)于它的信息.非常感謝您的幫助.
這就是為什么許多系統(tǒng)在頁面上包含計時器來給出近似超時時間的原因.這對于交互式頁面來說很難.確實需要鉤住ajax函數(shù),看返回狀態(tài)碼,有點難.一種替代方法是使用基于以下內(nèi)容的代碼,該代碼在頁面生命周期的早期運行并執(zhí)行 ajax 重定向到登錄頁面.否則你會被困在試圖攔截來自 ajax 的返回代碼,并且在 ajax 為你完成的 asp.net 中(即不是像 jQuery 這樣的更手動的方法)你會失去這種檢測的便利性.
http://www.eggheadcafe.com/tutorials/aspnet/7262426f-3c65-4c90-b49c-106470f1d22a/build-an-aspnet-session-timeout-redirect-control.aspxp>
為了快速破解,您可以直接在 pre_init 中嘗試http://forums.asp.net/t/1193501.aspx
編輯需要的是表單身份驗證超時,而不是會話超時.表單身份驗證超時的運行規(guī)模與會話超時不同.會話超時隨著每個請求而更新.直到一半時間過去,表單身份驗證票才會真正更新.因此,如果您將超時設(shè)置為一小時并在 25 分鐘內(nèi)發(fā)送一個請求,則會話將重置為一小時超時,表單身份驗證票不會被觸及并在 35 分鐘內(nèi)到期!要解決此問題,請同步會話超時和表單身份驗證票.這樣你仍然可以只檢查會話超時.如果您不喜歡這樣,那么仍然 - 執(zhí)行以下操作并同步超時,然后解析身份驗證票并讀取其超時.您可以使用 FormsAuthentication.Decrypt 來做到這一點 - 請參閱:
從asp.net代碼后面讀取表單身份驗證cookie
請注意,此代碼要求在登錄時設(shè)置一些會話值 - 在本例中為UniqueUserId".還要更改下面的登錄頁面路徑以適合您的.
<代碼>protected void Application_PreRequestHandlerExecute(對象發(fā)送者,EventArgs e){//只有在可用時才訪問會話狀態(tài)if (Context.Handler 是 IRequiresSessionState || Context.Handler 是 IReadOnlySessionState){//如果我們通過了身份驗證并且我們在這里沒有會話.. 重定向到登錄頁面.HttpCookie authenticationCookie = Request.Cookies[FormsAuthentication.FormsCookieName];if (authenticationCookie != null){FormsAuthenticationTicket authenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value);if (!authenticationTicket.Expired){if (Session["UniqueUserId"] == null){//這意味著由于某種原因會話在身份驗證票證之前過期.強制登錄.FormsAuthentication.SignOut();Response.Redirect("Login.aspx", true);返回;}}}}}代碼>
If the session has expired and the user clicks on a link to another webform, the asp.net authentication automatically redirect the user to the login page.
However, there are cases when the user does not click on links to other webforms. For example: edit link in gridviews, when using AutoCompleteExtender with textboxes and the application attempts to get the information, and basically, in every case when a postback is done and the event is not automatically handled by the asp.net authentication.
What is the best way to handle these exceptions?
UPDATE: I have just modified the question title: forms authentication timeout, instead of the initial session timeout. Thanks for making me aware of this difference.
UPDATE: I have just created a new question with the specific problem I am facing: How to handle exception due to expired authentication ticket using UpdatePanel?. Surprisingly, I have not found much information about it. I would really appreciate your help.
This is why many systems include timers on the page to give approximate timeout times. This is tough with interactive pages. You really need to hook ajax functions and look at the return status code, which is a bit difficult. One alternative is to use code based on the following which runs early in the page lifecycle and perform an ajax redirect to a login page. Otherwise you are stuck trying to intercept the return code from ajax and in asp.net where the ajax is done 'for you' (ie not a more manual method like jQuery) you lose this ease of detection.
http://www.eggheadcafe.com/tutorials/aspnet/7262426f-3c65-4c90-b49c-106470f1d22a/build-an-aspnet-session-timeout-redirect-control.aspx
for a quick hack you can try it directly in pre_init http://forums.asp.net/t/1193501.aspx
Edit what is wanted are for forms auth timeouts, not session timeouts. Forms auth timeouts operate on a different scale than session timeouts. Session timeouts update with every request. Forms auth tickets aren't actually updated until half of the time goes by. So if you have timeouts set to an hour and send in one request 25 minutes into it, the session is reset to an hour timeout, the forms auth ticket isnt touched and expires in 35 minutes! To work around this, sync up the session timeout and the forms auth ticket. This way you can still just check session timeouts. If you don't like this then still - do the below and sync up the timeouts and then parse the auth ticket and read its timeout. You can do that using FormsAuthentication.Decrypt - see:
Read form authentication cookie from asp.net code behind
Note that this code requires that upon login you set some session value - in this case its "UniqueUserId". Also change the login page path below to fit yours.
protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{
//Only access session state if it is available
if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
{
//If we are authenticated AND we dont have a session here.. redirect to login page.
HttpCookie authenticationCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authenticationCookie != null)
{
FormsAuthenticationTicket authenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value);
if (!authenticationTicket.Expired)
{
if (Session["UniqueUserId"] == null)
{
//This means for some reason the session expired before the authentication ticket. Force a login.
FormsAuthentication.SignOut();
Response.Redirect("Login.aspx", true);
return;
}
}
}
}
}
這篇關(guān)于如何在 ASP.NET 中處理表單身份驗證超時異常?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!