1

每个人。

“到期时间缓冲区”是什么意思?让我向你解释一下。

在我的 Azure 云服务项目中,只有一个 Web Role。我将启用的 ACS 命名空间与一些身份提供者集成在一起。身份提供者将颁发一个令牌。总之,会有一个 SessionSecurityToken 实例。我的网络角色将处理它的到期。

这是示例代码,

void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
    {
        Trace.TraceInformation("SessionAuthentication_SessionSecurityTokenReceived event");
        SessionSecurityToken sessionToken = e.SessionToken;            
        if (sessionToken.ValidTo < DateTime.UtcNow)
        {
            Trace.TraceInformation("SessionSecurityToken with token expiration time {0} expired at {1}. Its key expiration time is {2}",
                sessionToken.ValidTo,
                DateTime.UtcNow,
                sessionToken.KeyExpirationTime);
            Response.Write("{\"message\":\"token timeout\"}");
        }
    }

但是,并不是每次 sessionToken.ValidTo 小于 DateTime.UtcNow 时都会触发令牌过期异常。

Message string  SessionSecurityToken with token expiration time 06/13/2013 09:12:31 expired at 06/13/2013 09:12:37. Its key expiration time is 06/13/2013 09:12:31; TraceSource 'w3wp.exe' event

Message string  SessionSecurityToken with token expiration time 06/13/2013 09:12:31 expired at 06/13/2013 09:14:37. Its key expiration time is 06/13/2013 09:12:31; TraceSource 'w3wp.exe' event

Message string  SessionSecurityToken with token expiration time 06/13/2013 09:12:31 expired at 06/13/2013 09:16:37. Its key expiration time is 06/13/2013 09:12:31; TraceSource 'w3wp.exe' event

Message string  SessionSecurityToken with token expiration time 06/13/2013 09:12:31 expired at 06/13/2013 09:35:32. Its key expiration time is 06/13/2013 09:12:31; TraceSource 'w3wp.exe' event

并且只有最后一次检查才会触发异常,就像这样。

    Message string  <TraceSource>System.IdentityModel</TraceSource>
<Object>&lt;TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"&gt;&lt;TraceIdentifier&gt;http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx&lt;/TraceIdentifier&gt;&lt;Description&gt;Throwing an exception.&lt;/Description&gt;&lt;AppDomain&gt;/LM/W3SVC/1273337584/ROOT-1-130155861607927929&lt;/AppDomain&gt;&lt;Exception&gt;&lt;ExceptionType&gt;System.IdentityModel.Tokens.SecurityTokenExpiredException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089&lt;/ExceptionType&gt;&lt;Message&gt;ID4255: The SecurityToken is rejected because the validation time is out of range.
ValidTo: '6/13/2013 9:12:31 AM'
ValidFrom: '6/13/2013 9:02:32 AM'
Current time: '6/13/2013 9:35:32 AM'&lt;/Message&gt;&lt;StackTrace&gt;   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ValidateSession(SessionSecurityToken securityToken)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ValidateToken(SecurityToken token)
   at System.IdentityModel.Services.SessionAuthenticationModule.ValidateSessionToken(SessionSecurityToken sessionSecurityToken)
   at System.IdentityModel.Services.SessionAuthenticationModule.SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken)
   at System.IdentityModel.Services.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
   at System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp;amp;amp; completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
&lt;/StackTrace&gt;&lt;ExceptionString&gt;System.IdentityModel.Tokens.SecurityTokenExpiredException: ID4255: The SecurityToken is rejected because the validation time is out of range.
ValidTo: '6/13/2013 9:12:31 AM'
ValidFrom: '6/13/2013 9:02:32 AM'
Current time: '6/13/2013 9:35:32 AM'&lt;/ExceptionString&gt;&lt;/Exception&gt;&lt;/TraceRecord&gt;</Object>

那么任何人都可以解释这种行为吗?有什么问题?如何避免这种情况?

谢谢。

亚瑟

4

1 回答 1

1

您可以通过设置自己的超时来覆盖 SessionAuthenticationModule 的默认行为。实际上,我遇到了一个问题,即需要实现它以绕过由我连接到的身份提供程序(非 Azure)发出的 SAML 令牌的 2 分钟超时窗口。

您可以通过继承 SessionAuthenticationModule 或处理 Global.asax 中的 SessionSecurityTokenReceived 事件来做到这一点。

这是从Vittorio Bertocci 的“Programming Windows Identity Foundation”一书中借用的一个示例,该示例使过期在 2 分钟的滚动窗口上工作。尽管您必须将命名空间更改为“System.IdentityModel”,因为在将 Windows Identity Foundation 添加到 .NET Framework 4.5 时它们已更改。

<%@ Application Language=”C#” %>
<%@ Import Namespace=”Microsoft.IdentityModel.Web” %>
<%@ Import Namespace=”Microsoft.IdentityModel.Tokens” %>
<script runat=”server”&gt;
    void SessionAuthenticationModule_SessionSecurityTokenReceived
        (object sender, SessionSecurityTokenReceivedEventArgs e)
    {
        DateTime now = DateTime.UtcNow;
        DateTime validFrom = e.SessionToken.ValidFrom;
        DateTime validTo = e.SessionToken.ValidTo;
        double halfSpan = (validTo – validFrom).TotalMinutes / 2;
        if ( validFrom.AddMinutes( halfSpan ) < now && now < validTo )
        {
            SessionAuthenticationModule sam = sender as SessionAuthenticationModule;
            e.SessionToken = sam.CreateSessionSecurityToken(
                    e.SessionToken.ClaimsPrincipal,
                    e.SessionToken.Context,
                    now, now.AddMinutes(2), e.SessionToken.IsPersistent);
            e.ReissueCookie = true;
        }
    }     
//...
于 2014-05-23T19:37:44.697 回答