daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Session state/GDPR clarification (#11270) 

Fixes #11269 

Bit of a *nit PR*. The original text is good. This just clarifies a bit further by explicitly stating that the site visitor must permit tracking under GDPR for sessions to work.
pull/11277/head
Luke Latham 2019-03-04 20:47:31 -06:00 committed by Rick Anderson
parent 8b53019f54
commit c9adbb9ae1
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
aspnetcore/fundamentals/app-state.md
View File

@ -4,7 +4,7 @@ author: rick-anderson
description: Discover approaches to preserve session and app state between requests.
ms.author: riande
ms.custom: mvc
ms.date: 06/14/2018
ms.date: 03/04/2019
uid: fundamentals/app-state
---
# Session and app state in ASP.NET Core
@ -58,7 +58,7 @@ Session state exhibits the following behaviors:
* The app retains a session for a limited time after the last request. The app either sets the session timeout or uses the default value of 20 minutes. Session state is ideal for storing user data that's specific to a particular session but where the data doesn't require permanent storage across sessions.
* Session data is deleted either when the [ISession.Clear](/dotnet/api/microsoft.aspnetcore.http.isession.clear) implementation is called or when the session expires.
* There's no default mechanism to inform app code that a client browser has been closed or when the session cookie is deleted or expired on the client.
The ASP.NET Core MVC and Razor pages templates include support for [General Data Protection Regulation (GDPR) support](xref:security/gdpr). [Session state cookies aren't essential](xref:security/gdpr#tempdata-provider-and-session-state-cookies-are-not-essential), session state isn't functional when tracking is disabled.
The ASP.NET Core MVC and Razor pages templates include support for General Data Protection Regulation (GDPR). Session state cookies aren't marked essential by default, so session state isn't functional unless tracking is permitted by the site visitor. For more information, see <xref:security/gdpr#tempdata-provider-and-session-state-cookies-are-not-essential>.
> [!WARNING]
> Don't store sensitive data in session state. The user might not close the browser and clear the session cookie. Some browsers maintain valid session cookies across browser windows. A session might not be restricted to a single user&mdash;the next user might continue to browse the app with the same session cookie.