堆栈内存溢出
  简体   繁体   English

在WINhost上没有记住ASP.NET SPA WEBAPI BEARER TOKEN

[英]ASP.NET SPA WEBAPI BEARER TOKEN not being remembered on winhost

 原文  2015-03-04 19:00:28       c#/ asp.net/ asp.net-web-api/ bearer-token

问题描述

I have this ASP.NET web SPA web api project that uses BEARER TOKEN Authentication. 我有这个使用BEARER TOKEN身份验证的ASP.NET Web SPA web api项目。

I have deployed it to a couple different places, locally and azure cloud, and I do NOT see this issue. 我已将它部署到几个不同的地方,本地和蔚蓝云,我没有看到这个问题。

Because of budget reasons I decided to buy from a hosting company (winhost). 由于预算原因,我决定从托管公司(winhost)购买。 When the site is running from this host only I only see the following issue. 当站点仅从此主机运行时,我只看到以下问题。

The issue is after you have logged into the site and sit idle for X minutes the next request fails till you refresh and login. 问题是在您登录站点并闲置X分钟后,下一个请求失败,直到您刷新并登录。 (I get a 401 (Unauthorized)) (我得到401(未经授权))

The expiration of the token seems to only be 10-20 minutes instead of 2 weeks (which works by default on azure and my visual studio local). 令牌的到期似乎只有10-20分钟,而不是2周(默认情况下,天蓝色和我的视觉工作室本地)。 I have also printed out the token when received and it is 2 weeks. 我收到时还打印了令牌,为期2周。

The behavior I'm expecting is the bearer token to be cached (which I have confirmed by logging the header), then be sent with the next request, which then is authorized and returns results. 我期待的行为是要缓存的承载令牌(我已通过记录标头确认),然后与下一个请求一起发送,然后授权并返回结果。

This new host has some default IIS settings that I think is breaking it. 这个新主机有一些默认的IIS设置,我认为它打破了它。 I already had to change a few default settings, such as manually turning off basic auth through the IIS manager. 我已经不得不更改一些默认设置,例如通过IIS管理器手动关闭基本身份验证。

Any ideas? 有任何想法吗?

The only thing I could find matching the description of what I am seeing is this link. 我能找到的唯一符合我所看到的描述的是这个链接。 ASP.NET Web API Authorization tokens expiring early ASP.NET Web API授权令牌提前到期

I would of commented on that post but I do not have high enough reputation points. 我想对那篇文章发表评论,但我没有足够高的声望点。 Out of convenience I have copied that post below. 出于方便,我在下面复制了这篇文章。

I have implemented security for my web api (individual accounts) as discussed here . 我已经实现安全我的网络API(个人账户)的讨论在这里

I have hosted the website on godaddy (shared hosting) and its working fine. 我在godaddy(共享主机)上托管了该网站,并且其工作正常。 When I ask for token by using url "domain.com/token", I get the token with expiration date of within 15 days. 当我使用url“domain.com/token”请求令牌时,我会获得有效期为15天的令牌。 I have set this in "StartupAuth.cs" using 我在“StartupAuth.cs”中设置了这个 

AccessTokenExpireTimeSpan = TimeSpan.FromDays(15)

eg: 例如: 

{
  "access_token":"qwertyuiop.....",
  "token_type":"bearer",
  "expires_in":1209599, 
  "userName":"user@example.com",
  ".issued":"Wed, 11 Feb 2015 01:00:00 GMT",
  ".expires":"Thu, 26 Feb 2015 01:00:00 GMT"
}

(I put values in above code, but you get the idea of the ".expires" field. (我将值放在上面的代码中,但是您可以了解“.expires”字段。

5 minutes after getting the token, when I try and access "get" or "post" or any method in my API by passing authorization: bearer token in header as: 获取令牌后5分钟,当我尝试通过传递授权访问“get”或“post”或我的API中的任何方法时:标头中的bearer token为: 

Authorization: Bearer qwertyuiop.....

I get this error: 我收到此错误: 

{"Message":"Authorization has been denied for this request."}

Although its just been 5 minutes and token is supposed to last 15 days, it expires within 5 minutes. 虽然它只是5分钟而且令牌应该持续15天,但它会在5分钟内到期。 When I request any method "get"/"post" within interval of 5 minutes, I get the proper response with my data in JSON. 当我在5分钟的间隔内请求任何方法“获取”/“发布”时,我在JSON中得到了我的数据的正确响应。 In short, authorization succeeds. 简而言之,授权成功。

I have repeated this behavior by testing it via Fiddler, REST plugin of Chrome and via the mobile app which uses the API. 我通过Fiddler,Chrome的REST插件以及使用API​​的移动应用程序进行测试,重复了这种行为。

I have web.config values for session as below (I thought its related) 我有会话的web.config值如下(我认为它的相关) 

<sessionState timeout="180" />

Note that forms authentication is not used, so timeout on that section in web.config is not necessary. 请注意,不使用表单身份验证,因此不需要在web.config中的该部分超时。

Any idea what's going on? 知道发生了什么事吗? This timeout is causing the users of mobile apps which use the API to re-login every now and then. 此超时导致使用API​​的移动应用程序的用户不时地重新登录。 Any help would be appreciated. 任何帮助,将不胜感激。

Thanks. 谢谢。

2 个解决方案

解决方案1
 0  2015-03-19 10:01:51

在IIS中,可以在应用程序级别设置机器密钥,每次应用程序池回收时都会生成新的机器密钥,因此您需要一个新的令牌

解决方案2
 0  2015-11-30 04:47:42

Answered here 这里回答

Add to web.config not to be affected by app pool recycling 添加到web.config不受应用程序池回收的影响 

<system.web>
   <machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
            decryptionKey="261F793EB53B761503AC445E0CA28DA44AA9B3CF06263B77"
            validation="SHA1"/>

Read here how to generate https://support.microsoft.com/en-us/kb/312906 请在此处阅读如何生成https://support.microsoft.com/en-us/kb/312906

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 ASP.NET WebAPI 中检索不记名令牌 - Retrieve bearer token in ASP.NET WebAPI 在 ASP.NET WebApi 2 中自定义承载令牌 JSON 结果 - Customize Bearer token JSON result in ASP.NET WebApi 2 不带CORS的SPA的ASP.NET WebApi - ASP.NET WebApi for SPA without CORS ASP.NET Core WebAPI: Bearer error=&quot;invalid_token&quot;, error_description=&quot;未找到签名密钥&quot; - ASP.NET Core WebAPI: Bearer error="invalid_token", error_description="The signature key was not found" Asp.Net Core 2 验证不记名令牌 - Asp.Net Core 2 Validating bearer token ASP.NET Core 中的承载令牌身份验证 - Bearer Token Authentication in ASP.NET Core 在 Asp.Net Core 中使用 Swagger 未在请求中发送授权承载令牌 - Authorization Bearer token not being sent in request using Swagger in Asp.Net Core 具有社交登录且没有MVC依赖关系的ASP.NET WebAPI 2.2 SPA - ASP.NET WebAPI 2.2 SPA with social login and no MVC dependencies ASP.Net 5-OAuth承载令牌(JWT)验证错误 - ASP.Net 5 - OAuth bearer token (JWT) validation error ASP.Net Core 3.0 JWT Bearer Token 没有可用的 SecurityTokenValidator - ASP.Net Core 3.0 JWT Bearer Token No SecurityTokenValidator available
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM