c# - 登录用户在一段时间后注销

Question

我制作了一个新的 MVC3 应用程序，它托管在 WinHost 的基本计划上。

问题的要点是，达到了应用程序池内存限制并且每个 session InProc 都被删除，这意味着我的用户已注销。

根据他们的文档，我看到了这个:

http://support.winhost.com/KB/a626/how-to-enable-aspnet-sql-server-session-on-your-web.aspx

以下是执行上述步骤后我的 web.config 的内容:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=152368
  -->
<configuration>  
  <connectionStrings>    
    <!-- REMOVED FOR PRIVACY -->
  </connectionStrings>
  <appSettings>
    <add key="webpages:Version" value="1.0.0.0"/>
    <add key="ClientValidationEnabled" value="true"/>
    <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
  </appSettings>
  <system.web>    
    <sessionState mode="SQLServer"
                  allowCustomSqlDatabase="true"                  
                  cookieless="false"
                  timeout="2880"
                  sqlConnectionString="data Source='tcp:s407.winhost.com';database='DB_41_xx';user id='DB_11_xx_user'; password='xx';" />
    <trust level="Full"/>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      </assemblies>
    </compilation>
    <authentication mode="Forms">
      <forms loginUrl="~/" timeout="2880"/>
    </authentication>
    <membership>
      <providers>
        <clear/>
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
      </providers>
    </membership>
    <profile>
      <providers>
        <clear/>
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
      </providers>
    </profile>
    <roleManager enabled="false">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
      </providers>
    </roleManager>
    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers"/>
        <add namespace="System.Web.Mvc"/>
        <add namespace="System.Web.Mvc.Ajax"/>
        <add namespace="System.Web.Mvc.Html"/>
        <add namespace="System.Web.Routing"/>
        <add namespace="System.Web.WebPages"/>
      </namespaces>
    </pages>
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
        <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-4.0.8.0" newVersion="4.0.8.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

问题在这里:

我的用户在一段时间后仍然被登录。我认为在 session 中使用 SQL 可以避免这个问题。

以下是有关我如何让用户登录的相关代码:

[HttpPost]
public ActionResult Login(LogOnModel model)
{
    using (EfAccountRepository accountRepository = new EfAccountRepository())
    {
        if (accountRepository.ValidateCredentials(model.Email, model.Password))
        {
            FormsAuthentication.SetAuthCookie(model.Email, true);
            return RedirectToAction("Index", "Home");
        }    
    }

    ModelState.AddModelError("", "Your email or password is incorrect.");
    return View(model);
}

这是我用来查看用户是否登录的一些代码:

    public static MvcHtmlString AdminDashboardLink()
    {
        if (SecurityHelpers.UserIsPartOfCompany(HttpContext.Current))
        {
            string html = "<li><a href='/Admin'>ADMIN DASHBOARD</a></li>";
            return new MvcHtmlString(html);
        }
        else
        {
            return new MvcHtmlString("");
        }
    }

    public static bool UserIsPartOfCompany(HttpContext context)
    {
        if (!context.Request.IsAuthenticated)
            return false;

        using (EfAccountRepository accountRepository = new EfAccountRepository())
        {
            var loggedInUser = accountRepository.FindByEmail(context.User.Identity.Name);
            string[] userRoles = accountRepository.GetRolesForUser(loggedInUser.AccountId);

            return userRoles.Contains("Editor") || userRoles.Contains("Finance") || userRoles.Contains("Administrator");
        }            
    }

有什么建议吗？也许我的 web.config 有问题，这导致了问题。也许我在添加 session 信息后还需要删除一些东西？

Answer 1

有时是因为垃圾收集器清理了分配给您的应用程序的机器 key 并分配了一个新 key ，导致登录用户注销。解决方案是为您的应用程序生成一个 machineKey 并将其放在 system.web 下的 web.config 中，如

<system.web>
    <machineKey validationKey="###YOUR KEY HERE ###"
                decryptionKey="## decrypt key here ##" 
                validation="SHA1" decryption="AES" />
...
...

此链接可能对您有帮助 http://aspnetresources.com/tools/machineKey