The following is a question I asked on my blog a few months back but I still haven't got a proper answer to. Then a couple of days ago I was asked if I had the answer so I decided to copy the question in here where it will get a much more exposure by willing-and-able developers. Anyways, here goes...
以下是几个月前我在博客上提出的一个问题,但我仍然没有得到正确答案。然后几天前我被问到我是否有答案所以我决定在这里复制问题,这将得到自愿和有能力的开发人员的更多曝光。无论如何,这里......
I have been working on an ASP.NET web application that utilizes the AJAX Control Toolkit controls to extend the usability of the application. In addition, the application is a serious business application that requires security, including encryption, authentication and authorization. And the HTTP session is an InProc mode session that expires in the default time of 20 minutes.
我一直在研究一个ASP.NET Web应用程序,它利用AJAX Control Toolkit控件来扩展应用程序的可用性。此外,该应用程序是一个严肃的业务应用程序,需要安全性,包括加密,身份验证和授权。 HTTP会话是InProc模式会话,默认时间为20分钟。
This of course means that if the user leaves a page on his browser for over 20 minutes the session has expired and any post back to the server will redirect the browser to the sign in page. However, if the page, for example, contains the AutoCompleteExtender control from the AJAX Control Toolkit, the user might get back to his browser and start using the extender's functionality, requiring behind the scene callbacks, but will realize that the control simply doesn't work - no error not redirection to the sign in page!?
这当然意味着如果用户在浏览器上离开页面超过20分钟,则会话已过期,并且任何回发到服务器的帖子都会将浏览器重定向到登录页面。但是,如果页面包含来自AJAX Control Toolkit的AutoCompleteExtender控件,则用户可能会回到他的浏览器并开始使用扩展程序的功能,需要在场景回调后面,但会意识到控件根本不会工作 - 没有错误没有重定向到登录页面!?
Like I said, I don't have a solution so I ended up putting the SessionExpiredMonitor (by Herr Ziffer) on all my pages (in my MasterPage), which results in every page auto signing out in 19 minutes and then redirecting the browser to the sign in page. However, I don't find this to be a solution so if you can figure this out then please let me know. Thank you very much.
就像我说的,我没有解决方案,所以我最终将SessionExpiredMonitor(由Herr Ziffer)放在我的所有页面上(在我的MasterPage中),这导致每个页面在19分钟内自动退出,然后将浏览器重定向到登录页面。但是,我不认为这是一个解决方案,所以如果你能解决这个问题,请告诉我。非常感谢你。
3 个解决方案
#1
1
On the server side you can detect that the session is expired and return a strong typed exception. On the browser side, you can specifically detect for that error and simply have the page refresh. This assumes that when your page posts back for the refresh that your application detects expired sessions and has them login again.
在服务器端,您可以检测到会话已过期并返回强类型异常。在浏览器端,您可以专门检测该错误,只需刷新页面即可。这假定当您的页面回发以进行刷新时,您的应用程序会检测到过期的会话并让他们再次登录。
#2
0
What's wrong with redirecting the user to the login page after his session actually expired? From a user point of view I do really prefer this over not noticing an expired session, filling out some way too long form and actually notice the expiration on submit. It's at least a very user friendly solution to the problem.
在会话实际到期后将用户重定向到登录页面有什么问题?从用户的角度来看,我确实更喜欢这个,而不是注意到过期的会话,填写某种方式太长的形式,并实际注意到提交的到期。它至少是一个非常用户友好的解决方案。
#3
0
I think that auto-redirection is the preferable solution, mainly for obvious security reasons.
我认为自动重定向是首选解决方案,主要是出于明显的安全原因。
You could further extend the functionality by displaying an alert to the user after 18mns of inactivity warning them that their session will expire in 1 minute and providing a way of extending the session by clicking a button which in turn calls a back end page to rejuvenate the session.
您可以通过在18分钟不活动后向用户显示警报来进一步扩展功能,警告他们会话将在1分钟后到期,并提供一种通过单击按钮来扩展会话的方法,该按钮又调用后端页面以使其恢复活力。会话。
Just before the session expires and the page redirects the user to the login page you could save the status of the user / page / account so that when they log back in they can be redirected back to the page they last viewed.
在会话到期之前,页面会将用户重定向到登录页面,您可以保存用户/页面/帐户的状态,以便在他们重新登录时可以将其重定向回他们上次查看的页面。
#1
1
On the server side you can detect that the session is expired and return a strong typed exception. On the browser side, you can specifically detect for that error and simply have the page refresh. This assumes that when your page posts back for the refresh that your application detects expired sessions and has them login again.
在服务器端,您可以检测到会话已过期并返回强类型异常。在浏览器端,您可以专门检测该错误,只需刷新页面即可。这假定当您的页面回发以进行刷新时,您的应用程序会检测到过期的会话并让他们再次登录。
#2
0
What's wrong with redirecting the user to the login page after his session actually expired? From a user point of view I do really prefer this over not noticing an expired session, filling out some way too long form and actually notice the expiration on submit. It's at least a very user friendly solution to the problem.
在会话实际到期后将用户重定向到登录页面有什么问题?从用户的角度来看,我确实更喜欢这个,而不是注意到过期的会话,填写某种方式太长的形式,并实际注意到提交的到期。它至少是一个非常用户友好的解决方案。
#3
0
I think that auto-redirection is the preferable solution, mainly for obvious security reasons.
我认为自动重定向是首选解决方案,主要是出于明显的安全原因。
You could further extend the functionality by displaying an alert to the user after 18mns of inactivity warning them that their session will expire in 1 minute and providing a way of extending the session by clicking a button which in turn calls a back end page to rejuvenate the session.
您可以通过在18分钟不活动后向用户显示警报来进一步扩展功能,警告他们会话将在1分钟后到期,并提供一种通过单击按钮来扩展会话的方法,该按钮又调用后端页面以使其恢复活力。会话。
Just before the session expires and the page redirects the user to the login page you could save the status of the user / page / account so that when they log back in they can be redirected back to the page they last viewed.
在会话到期之前,页面会将用户重定向到登录页面,您可以保存用户/页面/帐户的状态,以便在他们重新登录时可以将其重定向回他们上次查看的页面。