Asp.Net Identity with 2FA - remember browser cookie not retained after session
I\'m using the latest sample code for MVC5.2 with Asp.Identity and Two Factor authentication.
With 2FA enabled, when a user logins, the get prompted for a code (sent
-
It doesn't seem like this code was designed to set more than one identity cookie in the same request/response because the OWIN cookie handlers end up sharing the same AuthenticationProperties. This is because the AuthenticationResponseGrant has a single principal, but the principal can have multiple identities.
You can workaround this bug by altering and then restoring the AuthenticationProperties in the ResponseSignIn and ResponseSignedIn events specific to the 2FA cookie provider:
//Don't use this. //app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie); //Set the 2FA cookie expiration and persistence directly //ExpireTimeSpan and SlidingExpiration should match the Asp.Net Identity cookie setting app.UseCookieAuthentication(new CookieAuthenticationOptions() { AuthenticationType = DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie, AuthenticationMode = AuthenticationMode.Passive, CookieName = DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie, ExpireTimeSpan = TimeSpan.FromHours(2), SlidingExpiration = true, Provider = new CookieAuthenticationProvider { OnResponseSignIn = ctx => { ctx.OwinContext.Set("auth-prop-expires", ctx.Properties.ExpiresUtc); ctx.OwinContext.Set("auth-prop-persist", ctx.Properties.IsPersistent); var issued = ctx.Properties.IssuedUtc ?? DateTimeOffset.UtcNow; ctx.Properties.ExpiresUtc = issued.AddDays(14); ctx.Properties.IsPersistent = true; }, OnResponseSignedIn = ctx => { ctx.Properties.ExpiresUtc = ctx.OwinContext.Get("auth-prop-persist"); } } }); Make sure to set the same ExpireTimeSpan and SldingExpiration as your main Asp.Net Identity cookie to preserve those settings (since they get merged in the AuthenticationResponseGrant).
加载中...
- 热议问题