我有一个在 IIS7 下运行的 ASP.NET MVC 应用程序。它使用默认的进程内 session 管理,根据我读到的所有内容,在应用程序池回收后应该会丢失用户的 session 。 但似乎并没有失去它。即使 IIS 重置也不会丢失 session 。 IIS7 中是否有某些更改可以使 session 保持事件状态?
最佳答案
这是由于 cookie 重放 - 发生的情况是您的浏览器发送带有旧身份验证票证的 cookie,该 cookie 被接受为新 session ,因为 Web 服务器不存储有效和过期的身份验证票证以供以后比较。如果恶意用户获得有效的表单例份验证 cookie,这会使您的网站容易受到重放攻击。要提高使用表单例份验证 cookie 时的安全性,请参阅下面的 MSDN 链接:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
To improve security when using a forms authentication cookie, you should do the following:
Use absolute expiration for forms authentication cookies by setting the
SlidingExpirationproperty to false. This limits the window in which a hijacked cookie can be replayed.Only issue and accept authentication cookies over Secure Sockets Layer (SSL), by setting the
RequireSSLproperty to true and by running the entire Web site under SSL. Setting the RequireSSL property to true ensures that ASP.NET will never send an authentication cookie to the browser over a non-SSL connection; however, the client might not honor the secure setting on the cookie. This means the client might send the forms authentication cookie over a non-SSL connection, thus leaving it vulnerable to hijack. You can prevent a client from sending the forms authentication cookie in the clear by running the entire Web site under SSL.Use persistent storage on the server to record when a user logs out of the Web site, and then use an application event such as
PostAuthenticateRequestevent to determine whether the current user was authenticated with forms authentication. If the user was authenticated with forms authentication, and if the information in persistent storage indicates the user is logged out, immediately clear the authentication cookie and redirect the browser back to the login page. After a successful login, update storage to reflect that the user is logged in. When you use this method, your application must track the logged-in status of the user, and must force idle users to log out.(.NET Framework 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1)
关于asp.net - IIS7 ASP.NET 进程内 session 在应用程序回收后不会丢失,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3551521/