问题
When I activate the OWIN logout-everywhere feature via security stamps and use the OnValidateIdentity-Callback of the CookieAuthenticationProvider with the SecurityStampValidator-class, the user is logged out every time he closes the browser.
provider.OnValidateIdentity =
SecurityStampValidator.OnValidateIdentity<MyUserManager, MyUser>(
System.TimeSpan.FromSeconds(10),(manager, user) => {
return user.GenerateUserIdentityAsync(manager);
});
However, when I do the plumbing myself (lookup and comparison of the security stamps, rejecting or renewing the identity) in the OnValidateIdentity-callback, everything seems to work fine.
Is this a known bug, or do I miss here something? Or is there a good documentation about the CookieAuthenticationProvider and the use of OnValidateIdentity?
Digging with google only shows me some simple samples, but gives no further insight.
Additional information
- I use an own implementation of the UserStorage which saves all the data in a database
- I noted that every page request calls two times the GetSecurityStampAsync of the UserStorage, wheras when I use my implementation, only one call is done.
- Installed Identity Version is 2.0.1
回答1:
This is resolved in ASP.NET Identity 2.2. See https://aspnetidentity.codeplex.com/workitem/2319
回答2:
This is basically a bug, the regeneration of the cookie should respect the current Remember Me option on the cookie. As a workaround, you can copy the OnValidateIdentity code and feed in the current context properties to flow the Persistent mode through:
context.OwinContext.Authentication.SignIn(context.Properties, identity);
回答3:
I have found the following code in the disassembly of SecurityStampValidator.OnValidateIdentity:
// .. some other code
// ...
ClaimsIdentity claimsIdentity = await regenerateIdentityCallback(userManager, tUser);
if (claimsIdentity != null){
context.get_OwinContext().get_Authentication().SignIn(new ClaimsIdentity[]
{
claimsIdentity
});
}
It seems to me, that the SignIn-operation is incomplete and should set the remember-me option? Therefore I assume that the implementation of SecurityStampValidator is buggy.
来源:https://stackoverflow.com/questions/24352533/onvalidateidentity-disables-the-mvc-owin-remember-me-option