[英]How does the session timeout work in IIS 7?
In web.config, I set timeout in the sessionState to 20 minutes. 在web.config中,我将sessionState中的超时设置为20分钟。 According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned.
根据MSDN,此超时指定会话在被放弃之前可以空闲的分钟数。 In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes.
在IIS 7中,DefaultWebSite->会话状态 - > Cookie设置 - >超时自动填充web.config中设置的超时值,在我的情况下是20分钟。 Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
此外,应用程序池 - > DefaultAppPool->高级设置 - > idleTimeout,我将其设置为10分钟。
Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. 然后我做了两个测试:第一次测试:我在下午3:45登录我的网络应用程序,闲置10分钟。 At 3:55pm, I tried to use my app, I got kicked out.
下午3:55,我试图使用我的应用程序,我被踢了出去。 I think the idleTimeout comes in play.
我认为idleTimeout正在发挥作用。
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. 第二次测试:我在下午4:00登录我的网络应用程序,在下午4:05,下午4:10,下午4:15和下午4:20使用应用程序。 I expected being kicked out at 4:20pm.
我预计会在下午4:20被踢出局。 But I was not.
但我不是。 I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate.
我认为IIS 7中的会话状态超时(20分钟)是Web Agent挑战用户重新进行身份验证之前用户会话可以处于活动状态的最长时间。 Apparently from this test, it is not.
显然,从这个测试,它不是。 Can anyone explain that to me?
任何人都可以向我解释一下吗? Also, how could I set the timeout for above case?
另外,我如何设置上述情况的超时?
Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server. 会话超时是一个滑动超时,每次用户访问服务器时都会将其重置为配置的值。
The Application Idle time-out kicks in if there have been no requests to your application for that period of time. 如果在这段时间内没有向您的应用程序发出请求,则应用程序空闲超时将启动。
The usual scenarios is therefore: 因此通常的情况是:
Time | User A | User B | Session States
------+--------------+--------------+-------------------------------------------
12:00 | Visits Page1 | | A: New Session, Time-out: 20 minutes
12:02 | Visits Page2 | | A: Time-out reset: 20 minutes
12:10 | | Visits Page1 | A: Time-out: 12 min; B: New: 20 minutes
12:15 | | Visits Page2 | A: Time-out: 07 min; B: Time-out: 20 min
12:22 | | | A: times out; B: 13 min remaining
12:32 | | | Application Shuts Down (Idle time reached)
12:35 | Visits Page3 | | A: New Session Starts
If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost. 如果用户A在12:22之后返回该站点,他们将有一个全新的会话,并且您之前存储的任何值都将丢失。
The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts. 确保会话在应用程序重新启动时持续存在的唯一方法是配置SessionState服务或SQL会话状态,并确保已配置machine.key,以便每次服务器重新启动时都不是AutoGenerated。
If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user: 如果您使用标准ASP.NET机制进行身份验证,那么ASP.NET将向每个用户发出两个cookie:
Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session. 这两个cookie都使用MachineKey加密 - 因此,如果您的应用程序回收并生成新密钥,则这些令牌都不能被解密,要求用户登录并创建新会话。
Responding to comments: 回应评论:
Session.Add(string, object)
method. Session.Add(string, object)
方法放置在用户会话对象( HttpSessionState )中的项目有关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.