I am developing using VSTS 2008 + C# + .Net 3.5 to develop an ASP.Net application. At the client side, in order to keep the session live, I will refresh the server every 5 seconds. Here is my code at the client side, server side Default.aspx will do nothing -- the only purpose is to keep client alive.
我正在使用VSTS 2008 + C#+ .Net 3.5开发开发ASP.Net应用程序。在客户端,为了使会话保持活动,我将每隔5秒刷新一次服务器。这是我在客户端的代码,服务器端Default.aspx什么都不做 - 唯一的目的是让客户端保持活着。
<html>
<head>
<meta http-equiv="refresh" content="10" />
<iframe src="http://localhost:20000/Default.aspx" width="1" height="1" />
</head>
<body />
<html>
I have monitored the traffic and found each time that the client will send a couple of headers to the server side. Any ideas to reduce the server load or traffic? If the number of clients are big, I am afraid the server workload will be increased significantly.
我监控了流量,发现每次客户端都会向服务器端发送几个头。任何减少服务器负载或流量的想法?如果客户端数量很大,恐怕服务器工作量会大大增加。
Here is the request and response header I monitored,
这是我监控的请求和响应标头,
Request headers
Connection : Keep-Alive Accept : / Accept-Encoding : gzip, deflate Accept-Language : en-us Host : localhost:20000 User-Agent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022; CIBA; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
连接:Keep-Alive接受:/ Accept-Encoding:gzip,deflate Accept-Language:en-us主机:localhost:20000 User-Agent:Mozilla / 4.0(兼容; MSIE 8.0; Windows NT 6.0; Trident / 4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022; CIBA; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; OfficeLiveConnector.1.4 ; OfficeLivePatch.1.3)
Response headers
Server : Microsoft-IIS/7.0
服务器:Microsoft-IIS / 7.0
2 个解决方案
#1
First question is: Why on earth do you think you have to keep the client alive?? What's the purpose of that??
第一个问题是:为什么你认为你必须让客户活着?那是什么意思?
Marc
#2
If you're going to keep the session alive manually anyways you'll end up with those same problems and the kind of problems you're now trying to solve.
如果你要手动保持会话活动,那么你最终会遇到同样的问题以及你现在试图解决的那些问题。
If you really really wanna try and make your application harder to hack based on session information (which most web banks see no reason to do other than to force a locout after like 10 min) you could reverse the logic. Have the server notify the client that the session will be terminated if the client replies the termination can be cancelled. (this can be done in JavaScript client side so if the browser has been closed there'll be no reply)
如果你真的想尝试让你的应用程序更难以根据会话信息进行攻击(大多数网络银行认为没有理由除了在10分钟之后强制进行定位),你可以改变逻辑。如果客户端回复终止可以取消,则让服务器通知客户端会话将被终止。 (这可以在JavaScript客户端完成,所以如果浏览器已经关闭,那么就没有回复)
#1
First question is: Why on earth do you think you have to keep the client alive?? What's the purpose of that??
第一个问题是:为什么你认为你必须让客户活着?那是什么意思?
Marc
#2
If you're going to keep the session alive manually anyways you'll end up with those same problems and the kind of problems you're now trying to solve.
如果你要手动保持会话活动,那么你最终会遇到同样的问题以及你现在试图解决的那些问题。
If you really really wanna try and make your application harder to hack based on session information (which most web banks see no reason to do other than to force a locout after like 10 min) you could reverse the logic. Have the server notify the client that the session will be terminated if the client replies the termination can be cancelled. (this can be done in JavaScript client side so if the browser has been closed there'll be no reply)
如果你真的想尝试让你的应用程序更难以根据会话信息进行攻击(大多数网络银行认为没有理由除了在10分钟之后强制进行定位),你可以改变逻辑。如果客户端回复终止可以取消,则让服务器通知客户端会话将被终止。 (这可以在JavaScript客户端完成,所以如果浏览器已经关闭,那么就没有回复)