ASP.Net 核心 Cookie 身份验证不持久
ASP.Net Core Cookie Authentication is not persistant
我开始使用 ASP.Net Core 2.2 开发网站。
我正在通过自定义 cookie 身份验证(不是身份)实施 login/logout。
请查看或克隆 the repo:
git clone https://github.com/mrmowji/aspcore-custom-cookie-authentication.git .
...或阅读以下代码片段。
这是Startup.cs
中的代码:
public void ConfigureServices(IServiceCollection services) {
...
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options => {
options.LoginPath = new PathString("/login");
options.ExpireTimeSpan = TimeSpan.FromDays(30);
options.Cookie.Expiration = TimeSpan.FromDays(30);
options.SlidingExpiration = true;
});
...
public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
...
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
...
这里是Login
动作的代码:
public async Task<IActionResult> Login(LoginViewModel userToLogin) {
var username = "username"; // just to test
var password = "password"; // just to test
if (userToLogin.UserName == username && userToLogin.Password == password) {
var claims = new List<Claim> {
new Claim(ClaimTypes.Name, "admin"),
new Claim(ClaimTypes.Role, "Administrator"),
};
var claimsIdentity = new ClaimsIdentity(
claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties {
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddDays(10),
IsPersistent = true,
};
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
authProperties);
...
Cookie 已按预期设置。我有一个 .AspNetCore.Cookies
cookie,有效期为 10 天后。但大约 30 分钟后,用户将注销。如何强制经过身份验证的用户保持登录状态,即使在浏览器关闭后也是如此?
感谢 @LeonardoSeccia 我找到了答案。请阅读对主要问题的评论。
我只需要在 ConfigureServices
方法中添加 data protection 服务,并提供一种在某处 store/persist 密钥(用于 encrypt/decrypt 敏感数据)的方法,否则,每当服务器或应用程序池重新启动时,都会生成新的密钥,并且旧的加密数据(包括身份验证 cookie)将不会按照它们必须的方式进行解密,从而导致身份验证失败。如果你要部署到像我这样的共享主机,这是必要的。
如果您之前使用过 .Net Framework 中的 ASP.Net,则此数据保护概念在某种程度上等同于 MachineKey
。
我决定 。
这是 Startup.cs
中的最终更改:
public Startup(IConfiguration configuration, IHostingEnvironment environment) {
Configuration = configuration;
hostingEnvironment = environment;
}
private IHostingEnvironment hostingEnvironment;
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services) {
// create a directory for keys if it doesn't exist
// it'll be created in the root, beside the wwwroot directory
var keysDirectoryName = "Keys";
var keysDirectoryPath = Path.Combine(hostingEnvironment.ContentRootPath, keysDirectoryName);
if (!Directory.Exists(keysDirectoryPath)) {
Directory.CreateDirectory(keysDirectoryPath);
}
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(keysDirectoryPath))
.SetApplicationName("CustomCookieAuthentication");
services.Configure<CookiePolicyOptions>(options =>
{
...
我开始使用 ASP.Net Core 2.2 开发网站。 我正在通过自定义 cookie 身份验证(不是身份)实施 login/logout。
请查看或克隆 the repo:
git clone https://github.com/mrmowji/aspcore-custom-cookie-authentication.git .
...或阅读以下代码片段。
这是Startup.cs
中的代码:
public void ConfigureServices(IServiceCollection services) {
...
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options => {
options.LoginPath = new PathString("/login");
options.ExpireTimeSpan = TimeSpan.FromDays(30);
options.Cookie.Expiration = TimeSpan.FromDays(30);
options.SlidingExpiration = true;
});
...
public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
...
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
...
这里是Login
动作的代码:
public async Task<IActionResult> Login(LoginViewModel userToLogin) {
var username = "username"; // just to test
var password = "password"; // just to test
if (userToLogin.UserName == username && userToLogin.Password == password) {
var claims = new List<Claim> {
new Claim(ClaimTypes.Name, "admin"),
new Claim(ClaimTypes.Role, "Administrator"),
};
var claimsIdentity = new ClaimsIdentity(
claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties {
AllowRefresh = true,
ExpiresUtc = DateTimeOffset.UtcNow.AddDays(10),
IsPersistent = true,
};
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
authProperties);
...
Cookie 已按预期设置。我有一个 .AspNetCore.Cookies
cookie,有效期为 10 天后。但大约 30 分钟后,用户将注销。如何强制经过身份验证的用户保持登录状态,即使在浏览器关闭后也是如此?
感谢 @LeonardoSeccia 我找到了答案。请阅读对主要问题的评论。
我只需要在 ConfigureServices
方法中添加 data protection 服务,并提供一种在某处 store/persist 密钥(用于 encrypt/decrypt 敏感数据)的方法,否则,每当服务器或应用程序池重新启动时,都会生成新的密钥,并且旧的加密数据(包括身份验证 cookie)将不会按照它们必须的方式进行解密,从而导致身份验证失败。如果你要部署到像我这样的共享主机,这是必要的。
如果您之前使用过 .Net Framework 中的 ASP.Net,则此数据保护概念在某种程度上等同于 MachineKey
。
我决定 Startup.cs
中的最终更改:
public Startup(IConfiguration configuration, IHostingEnvironment environment) {
Configuration = configuration;
hostingEnvironment = environment;
}
private IHostingEnvironment hostingEnvironment;
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services) {
// create a directory for keys if it doesn't exist
// it'll be created in the root, beside the wwwroot directory
var keysDirectoryName = "Keys";
var keysDirectoryPath = Path.Combine(hostingEnvironment.ContentRootPath, keysDirectoryName);
if (!Directory.Exists(keysDirectoryPath)) {
Directory.CreateDirectory(keysDirectoryPath);
}
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(keysDirectoryPath))
.SetApplicationName("CustomCookieAuthentication");
services.Configure<CookiePolicyOptions>(options =>
{
...