Menu
I need to immediately invalidate and log out any other logged in sessions when a user changes their password, but allow the active session (who has just updated their password) to remain logged in.
To do this, I'm using the UpdateSecurityStampAsync(currentUser.Id); method on the UserManager. All other sessions are successfully logged out, but the active session is also logged out despite the call to SignInAsync after updating the security stamp.
The Identity configuration I'm using is as follows:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
SlidingExpiration = false,
ExpireTimeSpan = TimeSpan.FromMinutes(10)
});
The controller code snippet that is updating the password, updating the security stamp, and supposedly logging the current user back in is:
var updateResult = await _userManager.ChangePasswordAsync(currentUser.Id, form.CurrentPassword, form.NewPassword);
if (!updateResult.Succeeded)
{
//handle update failure
}
_signInManager.AuthenticationManager.SignOut();
//updating the security stamp invalidates all other sessions
await _userManager.UpdateSecurityStampAsync(currentUser.Id);
await _signInManager.SignInAsync(currentUser, false, false);
Running the code, the password is successfully updated and all sessions are logged out due to the security stamp being updated. But based on other examples I've seen (like this answer from Chris), the code above should refresh the auth cookie and keep the active user logged in.
I've tried different variations of the above code:
SignIn extension method instead of the async oneall variations produce the same result: The user is forced to log back in after changing their password.
Is there a configuration error or something else that I've overlooked?
EDIT:
I've unintentionally fixed the problem by adding in the DefaultAuthenticationTypes into the SignOut call.
The relevant code now reads as:
//updating the security stamp invalidates all other sessions
await _userManager.UpdateSecurityStampAsync(currentUser.Id);
_signInManager.AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
await _signInManager.SignInAsync(currentUser, false, false);
However, if anyone could explain why the Authentication type is important in this case?
808
ASP.NET Identity is Microsoft's user management library for ASP.NET. It includes functionality such as password hashing, password validation, user storage, and claims management. It usually also comes with some basic authentication, bringing its own cookies and multi-factor authentication to the party.
Don't set validation interval to TimeSpan.FromMinutes(0), as that causes the sign in cookie to be issued immediately, set it to something like 1 second instead.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
