1

我正在尝试实现基于 asp.net 核心 cookie 的身份验证。所以我将下面的代码添加到了我的 startup.cs

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
                    {
                        options.AccessDeniedPath = new PathString("/login");
                        options.LoginPath = new PathString("/login");
                        options.SlidingExpiration = true;
                    }); 

我正在使用下面的代码登录

[HttpPost]
        [ValidateAntiForgeryToken]
        [Route("login")]
        public async Task<IActionResult> Login(AuthViewModel authView)
        {
            if (ModelState.IsValid)
            {
                var (status, message, SigninUser) = await authentication.Authenticate(new User()
                {
                    email = authView.Email,
                    pwd = authView.Password
                });

                if (status)
                {

                    List<Claim> claims = new List<Claim>
                    {
                        new Claim(ClaimTypes.Name, "App Member"),
                        new Claim(ClaimTypes.Email, SigninUser.email)
                    };

                    ClaimsIdentity identity = new ClaimsIdentity(claims, "cookie");
                    ClaimsPrincipal principal = new ClaimsPrincipal(identity);

                    await HttpContext.SignInAsync(
                                scheme: CookieAuthenticationDefaults.AuthenticationScheme,
                                principal: principal,
                                properties: new AuthenticationProperties
                                {
                                    IsPersistent = authView.RememberMe,
                                    ExpiresUtc = DateTime.UtcNow.AddYears(1)
                                });

                    HttpContext.Session.Set<User>("session_user", SigninUser);
                    if (Url.IsLocalUrl(authView.returnUrl))
                        return Redirect(authView.returnUrl);
                    else
                        return RedirectToAction("Index");
                }
                else
                {
                    authView.Status = false;
                    authView.Message = message;
                }
            }
            else
            {
                string message = string.Join(" | ", ModelState.Values.SelectMany(e => e.Errors).Select(v => v.ErrorMessage));
                authView.Status = false;
                authView.Message = message;
            }

            return View(authView);

        }

这工作正常。但是当我将浏览器保持空闲 30 分钟时,“session_user”会话变量会过期,用户仍然会通过身份验证。我该如何解决这个问题?

还使用基于 cookie 的身份验证会降低性能吗?

谢谢

4

0 回答 0