正如乔建议的那样,您可以编写一个HttpModule来使给定DateTime之前存在的任何cookie无效。如果将其放在配置文件中,则可以在必要时添加/删除它。例如,
Web.config:
<appSettings> <add key="forcedLogout" value="30-Mar-2011 5:00 pm" /></appSettings><httpModules> <add name="LogoutModule" type="MyAssembly.Security.LogoutModule, MyAssembly"/></httpModules>
MyAssembly.dll中的HttpModule:
public class LogoutModule: IHttpModule{ #region IHttpModule Members void IHttpModule.Dispose() { } void IHttpModule.Init(HttpApplication context) { context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest); } #endregion /// <summary> /// Handle the authentication request and force logouts according to web.config /// </summary> /// <remarks>See "How To Implement IPrincipal" in MSDN</remarks> private void context_AuthenticateRequest(object sender, EventArgs e) { HttpApplication a = (HttpApplication)sender; HttpContext context = a.Context; // Extract the forms authentication cookie string cookieName = FormsAuthentication.FormscookieName; Httpcookie authcookie = context.Request.cookies[cookieName]; DateTime? logoutTime = ConfigurationManager.AppSettings["forcedLogout"] as DateTime?; if (authcookie != null && logoutTime != null && authcookie.Expires < logoutTime.Value) { // Delete the auth cookie and let them start over. authcookie.Expires = DateTime.Now.AddDays(-1); context.Response.cookies.Add(authcookie); context.Response.Redirect(FormsAuthentication.LoginUrl); context.Response.End(); } }}
