ASP.NET Updating the FormsAuthenticationTicket_问答_开发者

ASP.NET Updating the FormsAuthenticationTicket

开发者 https://www.devze.com 2023-01-17 12:18 出处：网络

When a user logins into my site i create the following authenticate ticket: // Create the authentication ticket

When a user logins into my site i create the following authenticate ticket:

// Create the authentication ticket
var authTicket = new FormsAuthenticationTicket(1, // Version
                    userName, // Username
                    DateTime.UtcNow,             // Creation
                    DateTime.UtcNow.AddMinutes(10080), // Expiration
                    createPersistentCookie, // Persistent
                    user.Role.RoleName + "|~|" + user.UserID + "|~|" + user.TimeZoneID); // Additional data

// Encrypt the ticket
var encTicket = FormsAuthentication.Encrypt(authTicket);

// Store the ticket in a cookie
HttpContext.Current.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket) { Expires = authTicket.Expiration });

Then in my Global.asax.cs file i have the following:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    // Get the authentication cookie
    var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];

    // If it exists then decrypt and setup the generic principal
    if (authCookie != null && !string.IsNullOrEmpty(authCookie.Value))
    {
        var ticket = FormsAuthentication.Decrypt(authCookie.Value);
        var id = new UserIdentity(ticket); // This class simply takes the value from the cookie and then sets the properties on the class for the role, user id and time zone id
        var principal = new GenericPrincipal(id, new string[] { id.RoleName });
        HttpContext.Current.User = principal;
    }
}

protected void Session_Start(object sender, EventArgs e)
{
    // If the user has been disabled then log them out
    if (Request.IsAuthenticated)
    {
        var user = _userRepository.Single(u => u.UserName == HttpContext.Current.User.Identity.Name);

        if (!user.Enabled)
            FormsAuthentication.SignOut();
    }
}

So far so good. The problem i have is that if an administrator changes a user's role or time zone then the next time they return to the site their ticket is not updated (if they selected remember me when logging in).

Here's my authentication settings incase it helps:

<authentication mode="Forms">
    <forms timeout="10080" slidi开发者_运维技巧ngExpiration="true" />
</authentication>
<membership userIsOnlineTimeWindow="15" />

I've been reading up on slidingExpiration but as far as i can tell it only increases the expiration time and doesn't renew the contents of the cookie. I'd really appreciate it if someone could help. Thanks

I simply changed my Session_Start to:

// If the user is disabled then log them out else update their ticket
if (Request.IsAuthenticated)
{
    var user = _userRepository.Single(u => u.UserName == HttpContext.Current.User.Identity.Name);   

    if (!user.Enabled)   
        FormsAuthentication.SignOut();   
    else
        RenewTicket(); // This calls the same code to create the cookie as used when logging in
}

My proposal would be to do another cookie for the remember. This way session info can be in-memory cookie, while remember me cookie can be set to persist.