locked
When is the Authentication cookie bound to the current authenticated user and How does the bind happen? RRS feed

  • Question

  • User-1883279579 posted

    Hey guys, so I'm working on an asp.net web application and I'm having trouble figuring out:

    1.) When is the Authentication cookie bound to the current authenticated user?

    2.) How does the bind happen?

    Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.

    Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night

    I'm using the default [ASP.NET Web Application(.NET Framework)] template,

    Here is the configure sign in cookie,
    

    app.UseCookieAuthentication(new CookieAuthenticationOptions

    {

    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

    LoginPath = new PathString("/Account/Login"),

    Provider = new CookieAuthenticationProvider

    {

    // Enables the application to validate the security stamp when the user logs in.

    // This is a security feature which is used when you change a password or add an external login to your account.

    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(

    validateInterval: TimeSpan.FromMinutes(1),

    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    },

    SlidingExpiration = false,

    ExpireTimeSpan = TimeSpan.FromMinutes(2)

    });

    And here is the Login post form which confirms and authenticates a user with no cookie reference
    

    // POST: /Account/Login

    [HttpPost]

    [AllowAnonymous]

    [ValidateAntiForgeryToken]

    public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)

    {

    if (!ModelState.IsValid)

    {

    return View(model);

    }

    // This doesn't count login failures towards account lockout

    // To enable password failures to trigger account lockout, change to shouldLockout: true

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    switch (result)

    {

    case SignInStatus.Success:

    return RedirectToLocal(returnUrl);

    case SignInStatus.LockedOut:

    return View("Lockout");

    case SignInStatus.RequiresVerification:

    return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });

    case SignInStatus.Failure:

    default:

    ModelState.AddModelError("", "Invalid login attempt.");

    return View(model);

    }

    }

    Saturday, December 29, 2018 2:40 PM

All replies

  • User475983607 posted

    The SignInManager.PasswordSignInAsync() creates the cookie.

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    The browser sends the auth cookie on each request after a successful authentication.  The ASP Identity framework, through configuration when the app starts, reads the cookie on each request, fetches the token within the cookie, and uses the token to build the user principal.

    Sunday, December 30, 2018 5:08 PM
  • User-1883279579 posted

    The browser sends the auth cookie on each request after a successful authentication.  The ASP Identity framework, through configuration when the app starts, reads the cookie on each request, fetches the token within the cookie, and uses the token to build the user principal.

    Hey would you kindly mind explaining this statement. Like how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

    Monday, December 31, 2018 6:01 AM