I'm trying to understand better how .NET's Identity OnValidateIdentity method works exactly. I have set up this piece of code in my application like following:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieName = "LoginCookie",
ExpireTimeSpan = TimeSpan.FromHours(1),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromHours(1),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
Does OnValidateIdentity here has a role to check when user accesses my website to see how old is his cookie, and if it's older than the one that I've set in here(which is 1 hour) - the user will be forced to relog into the application.
Is this how it works exactly?
If you would like to gain a fuller understanding, why not read the source code?
In short this method will check if the value of the SecurityStamp on the user record has changed. It will do the checking every hour (in your set up). So if the SecurityStamp has changed, then the cookie is invalidated. If the SecurityStamp is unchanged from the last time it is checked, then the value of the cookie is updated (with new timestamp) but user is not logged out.
This feature is useful when user changes password and would like to invalidate all existing auth-cookies in all browsers.
A bit more detail in my blog post.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With