全天保持会议 [英] Maintaining a Session throughout the day

问题描述

我需要全天保持会议状态吗?在会话过期之前或之前，如何在一天中强制执行会话，而又不给IIS或web.config提供任何会话超时?

I need to maintaing the Session throughout the day? On or before session expires, how do I enforce session throughout the day without giving any session timeout either in IIS or web.config?

注意:IIS中的默认会话超时-20分钟.

Note: Default Session Timeout in IIS – 20 minutes.

预先感谢

推荐答案

您可以做的第一件事是使用保存会话序列化副本的SQL(或其他数据库)会话状态服务器将会话与进程分离.会话ID附带的数据.然后，您可以使用永久性Cookie来回传递会话ID.任何过期的会话都可以重新生成或恢复.

The first thing you can do is decouple the session from the process by using a SQL (or other database) session state server that holds the serialized copy of the session data attached to a session id. Then you could use a persistent cookie to pass the session id back and forth. Any session that expires could then be regenerated or reinstated.

由于您要整天保持会话状态(本来就是不安全的)，因此我们假定大多数安全性考虑因素已被排除在外.如果您担心重播攻击，则可以使用HMAC来验证Cookie会话请求，方法是将会话ID，日期时间，用户名(如果这是数据的一部分)，字符串中的IP地址(后跟单向加盐)此数据的哈希值.这样，您可以重新哈希处理数据，并将与请求一起发送的哈希与从该数据生成的哈希进行比较，以查看请求是否有效.

Since you're wanting to maintain a session all day (which is innately insecure), we'll assume that most security considerations have already been thrown out. If you're concerned about replay attacks, you could use an HMAC to validate cookie session requests by having the session id, datetime, username (if that's part of your data), maybe IP address in a string followed by a one-way salted hash of this data. This way you rehash the data and compare the hash sent with the request with the generated hash from that data to see if the request is valid.

这篇关于全天保持会议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！