All geek questions in one place

Asp.net mvc identity SecurityStamp issues everywhere

What I want to do is restrict the user ID to only be able to log into the system on one device at a time. For example, the user ID "abc" logs on to your computer. The user ID "abc" is now trying to log in from his phone. I want this to happen to kill a session on my computer.

I use asp.net mvc membership and use SecurityStamp for this purpose. This is my code in the Account / Login action:

[HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { var user = UserManager.FindByEmail(model.Email); var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false); await UserManager.UpdateSecurityStampAsync(user.Id);

According to the UpdateSecurityStampAsync method UpdateSecurityStampAsync doc says: Create a new security stamp for the user to use for the SignOutEverywhere function. But that will not work.

+5
source share
1 answer

If you want to enable instant cookie invalidation on other devices, each request must go to the cookie verification database. To do this, you need to set the cookie invalidity in Auth.Config.cs and set validateInterval to 0:

 app.UseCookieAuthentication(new CookieAuthenticationOptions { Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator .OnValidateIdentity<UserManager, ApplicationUser>( validateInterval: TimeSpan.FromSeconds(0), regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager)) } );
+3
source

Source: https://habr.com/ru/post/1245545/

More articles:


All Articles