Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to invalidate .AspNet.ApplicationCookie after Adding user to Role using Asp.Net Identity 2?

I have 2 questions related to that:

1) I need to invalidate.AspNet.ApplicationCookie after Adding / Removing some remote user to Role using Asp.Net Identity 2. I Tried to use UpdateSecurityStamp, but since no password or username is changed, SecurityStamp remains same. When I use ApplicationRoleManger I can see that User roles are updated but in User.Identity Claims they stay unchanged.

2) How does .AspNet.ApplicationCookie Validation work and how can I access it?

I was trying to use this code, but with no effect

What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?

Update: This is my Cookie Auth setting:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromSeconds(0),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
                OnApplyRedirect = ctx =>
                {
                    if (!IsApiRequest(ctx.Request))
                    {
                        ctx.Response.Redirect(ctx.RedirectUri);
                    }
                }
            }
        });

I can see that user.GenerateUserIdentityAsync(manager) is hitted only on login.

like image 374
Tonda Krist Avatar asked Aug 28 '14 10:08

Tonda Krist


2 Answers

Setting CookieAuthenticationOptions is not enough. When I created new ASP.NET MVC project in VS everything is working good and GenerateUserIdentityAsync() is hitted by each request (if validateInterval is 0). The only problem was that you have to register context per request:

app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

As I am using Winsdor Castle to create context per request, I deleted these lines from template. In injected method in ApplicationUserManager.Create is set UserTokenProvider, which does the magic perharps.

Nowhere in documentation is anything about that, but finally it solves the problem.

If you are using your own IoC, you can resolve dependency this way (eg. using Castle Winsdor)

app.CreatePerOwinContext(() => IoCContainerManager.Container.Resolve<ApplicationDBContext>());
app.CreatePerOwinContext(() => IoCContainerManager.Container.Resolve<ApplicationUserManager>());

and register types this way:

container.Register(Component.For<ApplicationDBContext>().LifestylePerWebRequest());
container.Register(Component.For<ApplicationUserManager>().LifestylePerWebRequest());
like image 135
Tonda Krist Avatar answered Nov 03 '22 17:11

Tonda Krist


If you want to change the security stamp after adding to a role use this:

UserManager.UpdateSecurityStampAsync(User.Id)

And don't set validateInterval to TimeSpan.FromSeconds(0) - this basically means database will be hit every on request. Set it to something like 10 minutes.

Just last night I've blogged about CookieAuthenticationProvider and how it invalidates the cookie. Basically the cookie contains information about time it was created. If it is older than validateInterval, then reach to database, get user record and compare security stamps in cookie and in the DB. If stamp not changed, issue a new cookie with new issue date. If stamps don't match, invalidate the cookie and log-out user.

like image 30
trailmax Avatar answered Nov 03 '22 18:11

trailmax