Menu
I've been trying to find a clear answer as to why I'm seeing this behavior. I'm using the Microsoft ASP.NET Identity template project to just see how Identity, OWIN, etc works. I'm noticing that every time I make a request (go to Contact, Manage, etc). My AspNet.ApplicationCookie has a different encrypted string (when using developer tools on Chrome or IE). At first I thought it's maybe because I didn't put any claims for the user, but I tried adding some claims and still saw the same behavior. Has anyone seen/know why? Is it just the encrypted cookie changes because of how the OWIN middleware encrypts the cookie? Any help is greatly appreciated.
I read https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
and
http://tech.trailmax.info/2014/08/aspnet-identity-cookie-format/
but neither really gets to exactly why I might see the behavior I'm seeing. Thanks again everyone.
UPDATE: Here's my startup.Auth.cs
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
LogoutPath = new PathString("/Account/LogOff"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
});
//app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// these two lines of code are needed if you are using any of the external authentication middleware
app.Properties["Microsoft.Owin.Security.Constants.DefaultSignInAsAuthenticationType"] = "ExternalCookie";
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "ExternalCookie",
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
});
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
}
486
AspNet. ApplicationCookie basically is created when you use cookie authentication in your application. This cookie is created by the server on user request and is stored by the browser. AspNet. ApplicationCookie gets sent with each subsequent request to inform the server the identity of the logged in user.
Microsoft.AspNet.Identity.OWIN. This package contains functionality that is used to plug in OWIN authentication with ASP.NET Identity in ASP.NET applications. This is used when you add sign in functionality to your application and call into OWIN Cookie Authentication middleware to generate a cookie.
ASP.NET Core Identity: Is an API that supports user interface (UI) login functionality. Manages users, passwords, profile data, roles, claims, tokens, email confirmation, and more.
Your issue is in line with validateInterval: TimeSpan.FromMinutes(0), Here you effectively say "regenerate cookie on every request` - this is for global cookie invalidation when security stamp is changed.
Set validateInterval to be couple minutes - you won't get the cookie invalidated on every request, only every however minutes you set it to be.
181
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
