C# 为什么Session.Clear()-不';不行?
我正在使用C# 为什么Session.Clear()-不';不行?,c#,asp.net-web-api,.net-core,.net-core-2.1,C#,Asp.net Web Api,.net Core,.net Core 2.1,我正在使用.NETCore2.1,并尝试将会话用作身份验证的一部分。我期望发生的是: 用户登录 我设置会话值 返回会话cookie 人员单击“注销” 我通过HttpContext.session.clear()清除会话 然后我试图假装会话cookie是从原始用户那里偷来的,因此我向服务器创建了另一个请求,并期望会话中设置的值不会出现。即使调用了Session.Clear(),它看起来仍然保持着它 代码: Startup.cs public void ConfigureServices(I
.NETCore2.1HttpContext.session.clear()清除会话Session.Clear() public void ConfigureServices(IServiceCollection services)
{
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(10);
options.Cookie.Name = SessionCookieName;
options.Cookie.HttpOnly = true;
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseSession();
}
HttpContext.Session.SetInt32(SessionConstants.Key, value);
HttpContext.Session.Clear();
var sessionValue = HttpContext.Session.GetInt32(SessionConstants.Key);
var httpClientGenuineRequest = GetClient();
var httpClientAttacker = GetClient();
//Given
var request = new LoginRequest()
{
//filled properties
};
var loginResponse = await httpClientGenuineMember.PostAsync("urlToLoginAction", new JsonContent(request));
AddResponseCookiesToHeaders(httpClientAttacker, loginResponse);
await httpClientGenuineMember.PostAsync("urlToLogoutAction", new JsonContent(request));
//When
var response = await httpClientAttacker.GetAsync("urlToCheckStatusAction");
//Here the actual result is true
var actualResult = response.GetResult<bool>();
//Then
var expectedResult = false;
HttpContext.Session.SetInt32(SessionConstants.Key, value);
HttpContext.Session.Clear();
var sessionValue = HttpContext.Session.GetInt32(SessionConstants.Key);
var httpClientGenuineRequest = GetClient();
var httpClientAttacker = GetClient();
//Given
var request = new LoginRequest()
{
//filled properties
};
var loginResponse = await httpClientGenuineMember.PostAsync("urlToLoginAction", new JsonContent(request));
AddResponseCookiesToHeaders(httpClientAttacker, loginResponse);
await httpClientGenuineMember.PostAsync("urlToLogoutAction", new JsonContent(request));
//When
var response = await httpClientAttacker.GetAsync("urlToCheckStatusAction");
//Here the actual result is true
var actualResult = response.GetResult<bool>();
//Then
var expectedResult = false;
HttpContext.Session.SetInt32(SessionConstants.Key, value);
HttpContext.Session.Clear();
var sessionValue = HttpContext.Session.GetInt32(SessionConstants.Key);
var httpClientGenuineRequest = GetClient();
var httpClientAttacker = GetClient();
//Given
var request = new LoginRequest()
{
//filled properties
};
var loginResponse = await httpClientGenuineMember.PostAsync("urlToLoginAction", new JsonContent(request));
AddResponseCookiesToHeaders(httpClientAttacker, loginResponse);
await httpClientGenuineMember.PostAsync("urlToLogoutAction", new JsonContent(request));
//When
var response = await httpClientAttacker.GetAsync("urlToCheckStatusAction");
//Here the actual result is true
var actualResult = response.GetResult<bool>();
//Then
var expectedResult = false;
HttpContext.Session.SetInt32(SessionConstants.Key, value);
HttpContext.Session.Clear();
var sessionValue = HttpContext.Session.GetInt32(SessionConstants.Key);
var httpClientGenuineRequest = GetClient();
var httpClientAttacker = GetClient();
//Given
var request = new LoginRequest()
{
//filled properties
};
var loginResponse = await httpClientGenuineMember.PostAsync("urlToLoginAction", new JsonContent(request));
AddResponseCookiesToHeaders(httpClientAttacker, loginResponse);
await httpClientGenuineMember.PostAsync("urlToLogoutAction", new JsonContent(request));
//When
var response = await httpClientAttacker.GetAsync("urlToCheckStatusAction");
//Here the actual result is true
var actualResult = response.GetResult<bool>();
//Then
var expectedResult = false;
HttpContext.Session.Clear()时您基本上什么也不清除。
正如我所说,这种情况可能令人痛苦,但却是一个活生生的事实,如果我们选择使用.net core 2.1和会话状态,我们的代码必须知道如何处理这种情况。在挖掘代码后,我发现了问题:
问题出在我的测试中。我将登录请求-响应cookies设置为“攻击者的”httpClient,而不是实际用户。结果,它没有得到会话Cookie
,因此我的会话.Clear()
实际上清除了新创建的会话,而不是登录过程中创建的会话
修正测试:
var httpClientGenuineRequest = GetClient();
var httpClientAttacker = GetClient();
//Given
var request = new LoginRequest()
{
//filled properties
};
var loginResponse = await httpClientGenuineMember.PostAsync("urlToLoginAction", new JsonContent(request));
AddResponseCookiesToHeaders(httpClientGenuineMember, loginResponse); // THAT LINE MADE THE DIFFERENCE
AddResponseCookiesToHeaders(httpClientAttacker, loginResponse);
await httpClientGenuineMember.PostAsync("urlToLogoutAction", new JsonContent(request));
//When
var response = await httpClientAttacker.GetAsync("urlToCheckStatusAction");
//Here the actual result is true
var actualResult = response.GetResult<bool>();
//Then
var expectedResult = false;
var httpClientGenuineRequest=GetClient();
var httpClientAttacker=GetClient();
//给定
var请求=新登录请求()
{
//填充特性
};
var loginResponse=await-httpClientGenuineMember.PostAsync(“urlToLoginAction”,new-JsonContent(request));
AddResponseCookiesToHeaders(httpClientGenuineMember,loginResponse);//那条线起了作用
添加ResponseCookiestoHeader(httpClientAttacker、loginResponse);
等待httpClientGenuineMember.PostAsync(“urlToLogoutAction”,新JsonContent(请求));
//什么时候
var response=await httpClientAttacker.GetAsync(“urlToCheckStatusAction”);
//这里的实际结果是正确的
var actualResult=response.GetResult();
//然后
var expectedResult=假;
Session.Clear()
完全按照预期工作。您使用哪个会话存储?(会话也可以完全存储在会话cookie中)这是默认行为吗?我不希望在浏览器关闭时清除会话,而是在用户单击站点上的注销按钮时清除会话。我认为,如果用户拥有会话Cookie,就足以找到正确的会话并将其清除。在常规的.NET中,这将由Session.about()实现。另外,如果我可以用用户在cookie中的Id除去会话中的值就足够了,因为代码会检查特定值是否在会话中。但是,您似乎没有得到正确的答案,我给出了两个关于会话状态的主要场景。一个用于确定会话何时在客户端过期,另一个用于确定会话未清除的原因。请阅读答案和附加的链接:)我想你是对的,我错过了阅读。今天我将测试它,而不是清除或删除该键,将该键的值设置为默认值,因为SetInt32是正确名称空间的扩展。如果这样做有效,我需要实施我自己的清晰机制,如果没有更好的方法,它将设定价值观。这个答案帮助我找到了问题所在。非常感谢你。