当使用仅HTTP的会话cookie时,客户端如何知道会话何时到期?
[英]When using a HTTP-only session cookie, how does the client know when its session is going to expire?
问题描述
My website is an AngularJS SPA with a Web API/SignalR back-end running on Owin. 
我的网站是AngularJS SPA,其Web API / SignalR后端在Owin上运行。 Authentication was managed with a JSON Web Token (JWT) stored in the browser's local storage. 身份验证通过存储在浏览器本地存储中的JSON Web令牌(JWT)进行管理。
Per corporate directive, I'm moving from JWT in local storage to HTTP-only same-site session cookies with a sliding expiration. 根据公司指令,我正在从本地存储中的JWT迁移到具有滑动到期期限的仅HTTP的同一站点会话cookie。 Everything works great, except for one snag: 一切都很好,除了一个障碍:
My application displays personal health information (PHI), so I must close the application automatically as soon as the session expires. 我的应用程序显示个人健康信息(PHI),因此会话期满后,我必须自动关闭该应用程序。 With JWT, I could inspect the "exp" claim to automatically determine that the session has expired and remove the PHI from the screen. 使用JWT,我可以检查“ exp”声明以自动确定会话已过期,并从屏幕上删除PHI。 But with a HTTP-only cookie, I can't access any part of the token. 但是使用仅HTTP的cookie,我无法访问令牌的任何部分。
When I issue the cookie, I know the expiration and can inform the browser accordingly. 当我发布cookie时,我知道其有效期并可以相应地通知浏览器。 However, when Owin refreshes the cookie, the browser will need to be notified of the new expiration, and I'm not sure how to do that. 但是,当Owin刷新cookie时,需要通知浏览器新的过期时间,我不确定该怎么做。
I could store a second cookie that isn't HTTP-only, containing only the session expiration time, but I would have to refresh that cookie whenever I refresh my primary auth cookie. 我可以存储第二个非HTTP的cookie,它仅包含会话到期时间,但是每当刷新主身份验证cookie时,我都必须刷新该cookie。
How do I tell the browser when the session is going to expire, and keep the browser updated when that expiration changes? 我如何告诉浏览器会话何时到期,并且当到期时间更改时如何保持浏览器更新? How can I attach an event handler to when the cookie is refreshed by Owin? Owin刷新cookie时,如何附加事件处理程序?
Here is my current cookie configuration: 这是我当前的cookie配置:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active,
CookieHttpOnly = true,
ExpireTimeSpan = TimeSpan.FromHours(2),
SlidingExpiration = true,
CookieName = "Auth"
});
2 个解决方案
解决方案1
0 2018-05-02 16:56:19
Quite reliable and simple approach with HTTP is making endoint for this and check it ie once per second: 使用HTTP的相当可靠和简单的方法为此使用了endint并对其进行检查,即每秒检查一次:
module.run(($interval) = > {
$interval(() => {
$http.get('/checkToken').then((result) => {
if (result.data.expired) {...}
}, (error) => ...)
}, 1000);
})
And on server in checkToken endpoint you can do all needed cheks. 在checkToken终结点中的服务器上,您可以执行所有必需的检查。
For better real-time client-server interaction you may consider using sockets, but this is another story. 为了实现更好的实时客户端-服务器交互,您可以考虑使用套接字,但这是另一回事了。
解决方案2
-2 2018-05-02 16:01:14
I'm not intimately familiar with Angular or Owin, but working with legally-protected education data, the we solve it by ticking down the seconds, then resetting in the handler after an AJAX call completes. 我对Angular或Owin并不是很熟悉,但是使用受法律保护的教育数据,我们通过滴答秒数,然后在AJAX调用完成后在处理程序中进行重置来解决该问题。
A bare-bones version looks something like this: 准系统版本如下所示:
var Countdown = {};
var Countdown.length = 3600 /* your session timeout here */;
var Countdown.seconds = Countdown.length;
var Countdown.tick = function() {
Countdown.seconds--;
if (Countdown.seconds == 0) {
/* handle timeout */
}
/* any additional processing code here */
}
var Countdown.reset = function() {
Countdown.seconds = Countdown.length;
/* any additional processing code here */
}
window.setInterval(Countdown.tick, 1000);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.