如何注销 ASP.NET Core cookie 身份验证中的所有用户?

问题描述

我正在使用带有 CookieAuthentication 的 ASP.NET Core MVC.有没有办法让所有用户同时退出?我尝试重置 IIS - 没有用.我尝试删除所有用户的会话(我正在使用数据库进行会话存储) - 没有用.

I'm using ASP.NET Core MVC with CookieAuthentication. Is there a way I can sign all users out at once? I tried resetting IIS - didn't work. I tried deleting all the users' sessions (I'm using a database for session storage) - didn't work.

有什么想法吗?

推荐答案

使用 CookieAuthentication，cookie 只是一个包含用户名、角色和辅助数据的加密字符串.简而言之，它识别的是用户，而不是会话.杀死会话不会使cookie失效.

With CookieAuthentication, the cookie is simply an encrypted string containing the user's name, roles, and auxilliary data. In short, it identifies the user, not the session. Killing sessions does not invalidate the cookie.

话虽如此，您可以在 cookie 的辅助数据中填充会话标识符或其他令牌，然后在身份验证过程中对其进行验证.可以找到尝试此操作的示例 这里.

That being said, you can stuff a session identifier or other token in the cookie's auxiliary data, and then validate that during the authentication process. An example of someone trying to this can be found here.

另一个选项是您可以暂时禁用用户存储库中的用户，而不是使会话无效.这里是使用 ASPNET Identity 2.0 的示例.

Another option is instead of invalidating sessions you can temporarily disable users in your user repository. Here is an example using ASPNET Identity 2.0.

第三个(核)选项是更改 机器密钥所有 Web 服务器，这将使任何旧的表单身份验证 cookie 无法读取，从而迫使所有用户重新登录.

A third (nuclear) option is to change the machine key on all web servers, which will render any old forms authentication cookies unreadable, forcing all users to sign on again.

这篇关于如何注销 ASP.NET Core cookie 身份验证中的所有用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！