What is ASP.NET Identity's IUserSecurityStampS

2019-01-01 00:02发布

站内问答 / 后端开发
2071 3 6

Looking at ASP.NET Identity (new membership implementation in ASP.NET), I came across this interface when implementing my own UserStore:

//Microsoft.AspNet.Identity.Core.dll

namespace Microsoft.AspNet.Identity
{ 
    public interface IUserSecurityStampStore<TUser> :
    {
        // Methods
        Task<string> GetSecurityStampAsync(TUser user);
        Task SetSecurityStampAsync(TUser user, string stamp);
    }
}

IUserSecurityStampStore is implemented by the default EntityFramework.UserStore<TUser> which essentially get and set the TUser.SecurityStamp property.

After some more digging, it appears that a SecurityStamp is a Guid that is newly generated at key points in the UserManager (for example, changing passwords).

I can't really decipher much beyond this since I'm examining this code in Reflector. Almost all the symbol and async information has been optimized out.

Also, Google hasn't been much help.

Questions are:

  • What is a SecurityStamp in ASP.NET Identity and what is it used for?
  • Does the SecurityStamp play any role when authentication cookies are created?
  • Are there any security ramifications or precautions that need to be taken with this? For example, don't send this value downstream to clients?

Update (9/16/2014)

Source code available here:

3条回答
孤独总比滥情好
2楼-- · 2019-01-01 00:28

This is meant to represent the current snapshot of your user's credentials. So if nothing changes, the stamp will stay the same. But if the user's password is changed, or a login is removed (unlink your google/fb account), the stamp will change. This is needed for things like automatically signing users/rejecting old cookies when this occurs, which is a feature that's coming in 2.0.

Identity is not open source yet, its currently in the pipeline still.

Edit: Updated for 2.0.0. So the primary purpose of the SecurityStamp is to enable sign out everywhere. The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.

In 2.0.0 we added the following configuration to hook the OnValidateIdentity method in the CookieMiddleware to look at the SecurityStamp and reject cookies when it has changed. It also automatically refreshes the user's claims from the database every refreshInterval if the stamp is unchanged (which takes care of things like changing roles etc)

app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

If your app wants to trigger this behavior explicitly, it can call:

UserManager.UpdateSecurityStampAsync(userId);
查看更多
0人赞 添加讨论(0) 举报
呛了眼睛熬了心
3楼-- · 2019-01-01 00:31

I observed the SecurityStamp to be required for token verification.

To repo: Set SecurityStamp to null in the databsae Generate a token (works ok) Verify token (fails)

查看更多
0人赞 添加讨论(0) 举报
千与千寻千般痛.
4楼-- · 2019-01-01 00:36

The UseCookieAuthentication is deprecated by now. I managed to configure it using 

services.Configure<SecurityStampValidatorOptions>(o => 
    o.ValidationInterval = TimeSpan.FromSeconds(10));

Moved from reply to answer per request.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)