Asp.net mvc 我们可以为ASP.NET MVC 5中的角色设置个性化会话超时吗

其思想是为会话设置不同的会话超时值 ASP.NET MVC 5和ASP.NET Identity中的不同用户角色

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    // other stuff
    Provider = new CookieAuthenticationProvider
    {
        // this function is executed every http request and executed very early in the pipeline
        // and here you have access to cookie properties and other low-level stuff. 
        // makes sense to have the invalidation here
        OnValidateIdentity = async context =>
        {
            // invalidate user cookie if user's security stamp have changed
            var invalidateBySecirityStamp = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
            await invalidateBySecirityStamp.Invoke(context);

            // check if user is in admin role
            var isAdmin = context.Identity.Claims.Any(c => c.Type == ClaimTypes.Role && c.Value == "AdminRoleName");

            // check if enough time has passed to invalidate cookie
            var currentUtc = DateTimeOffset.UtcNow;
            if (context.Options != null && context.Options.SystemClock != null)
            {
                currentUtc = context.Options.SystemClock.UtcNow;
            }

            var issuedUtc = context.Properties.IssuedUtc;
            var bootThemOut = (issuedUtc == null);
            if (issuedUtc != null)
            {
                var timeElapsed = currentUtc.Subtract(issuedUtc.Value);
                bootThemOut = timeElapsed > TimeSpan.FromMinutes(3); // invalidate admin cookies in 3 minutes
            }

            if (isAdmin && bootThemOut)
            {
                context.RejectIdentity();
                context.OwinContext.Authentication.SignOut(context.Options.AuthenticationType);
            }
        }
    }
});            

---

可以这样做吗？

根据他们的角色，您可以设置超时，即

HttpContext.Current.Session.Timeout = 20;

根据前面的问题，您希望动态地执行此操作。您可以在会话中存储和更新时间，并在基本控制器的

OnActionExecuting

上为每个角色设置时间

    if (User.IsInRole("Admin"))
    {
        filterContext.HttpContext.Session.Timeout = 
(int)filterContext.HttpContext.Session["AdminTimeoutThatYouSetSomewhereElseGlobally"];
    }

---

如果您试图比普通用户更快地启动管理员，这里是我在这个in-Identity上的存根

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    // other stuff
    Provider = new CookieAuthenticationProvider
    {
        // this function is executed every http request and executed very early in the pipeline
        // and here you have access to cookie properties and other low-level stuff. 
        // makes sense to have the invalidation here
        OnValidateIdentity = async context =>
        {
            // invalidate user cookie if user's security stamp have changed
            var invalidateBySecirityStamp = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager));
            await invalidateBySecirityStamp.Invoke(context);

            // check if user is in admin role
            var isAdmin = context.Identity.Claims.Any(c => c.Type == ClaimTypes.Role && c.Value == "AdminRoleName");

            // check if enough time has passed to invalidate cookie
            var currentUtc = DateTimeOffset.UtcNow;
            if (context.Options != null && context.Options.SystemClock != null)
            {
                currentUtc = context.Options.SystemClock.UtcNow;
            }

            var issuedUtc = context.Properties.IssuedUtc;
            var bootThemOut = (issuedUtc == null);
            if (issuedUtc != null)
            {
                var timeElapsed = currentUtc.Subtract(issuedUtc.Value);
                bootThemOut = timeElapsed > TimeSpan.FromMinutes(3); // invalidate admin cookies in 3 minutes
            }

            if (isAdmin && bootThemOut)
            {
                context.RejectIdentity();
                context.OwinContext.Authentication.SignOut(context.Options.AuthenticationType);
            }
        }
    }
});            

app.UseCookieAuthentication（新的CookieAuthenticationOptions
{
//其他东西
Provider=新CookieAuthenticationProvider
{
//此函数在每个http请求中执行，并在管道中很早就执行
//在这里，您可以访问cookie属性和其他低级内容。
//在这里进行无效宣告是有意义的
OnValidateIdentity=异步上下文=>
{
//如果用户的安全戳已更改，则使用户cookie无效
var invalidatebyscuritystamp=SecurityStampValidator.OnValidateIdentity(
validateInterval:TimeSpan.FromMinutes（30），
regenerateIdentity：（管理器，用户）=>user.GenerateUserIdentityAsync（管理器））；
等待InvalidateBySecurityStamp.Invoke（上下文）；
//检查用户是否处于管理员角色
var isAdmin=context.Identity.Claims.Any（c=>c.Type==ClaimTypes.Role&&c.Value==AdminRoleName）；
//检查是否有足够的时间使cookie无效
var currentUtc=DateTimeOffset.UtcNow；
if（context.Options！=null&&context.Options.SystemClock！=null）
{
currentUtc=context.Options.SystemClock.UtcNow；
}
var issuedUtc=context.Properties.issuedUtc；
var bootThemOut=（issuedUtc==null）；
如果（issuedUtc！=null）
{
var timeappeased=currentUtc.Subtract（issuedUtc.Value）；
bootshemout=timeappeased>TimeSpan.FromMinutes（3）；//在3分钟内使管理员cookie无效
}
if（isAdmin&&bootThemOut）
{
context.RejectIdentity（）；
context.OwinContext.Authentication.SignOut（context.Options.AuthenticationType）；
}
}
}
});            

它是否适用于ASP.NET MVC 5和ASP.NET Identity？是否适用于Mvc5。您是如何实现身份的？你有基地控制器吗？应该没问题。您对用户的检查可能不同，但会话是相同的。仅当您使用默认情况下未启用的会话时，该检查才有效，AFAIKI发现这篇文章让我更好地理解了上面的答案：ASPNET Identity Cookie身份验证超时用于Identity和MVC5：我们如何使用此解决方案实现

SlidingExpiration=true

行为？我阅读了文章，一步一步说“由于用户在位置a的validateInterval之后发出了请求，因此他们将注销并再次提示输入凭据。“。如果我们不想等到validateInterval之后呢？如果用户在位置a更改密码，我希望该用户被强制立即在位置B登录。请您帮忙好吗？@CodingYoshi好的，在密码更新时，更改

SecurityStamp

字段，并将

validateInterval

设置为足够小，以满足您的“立即”要求。尽管我不建议将其设置为少于几秒钟。