locked
What makes user's security stamp invalid RRS feed

  • Question

  • User657329123 posted

    Hello there,

    I'm trying to understand SecurityStampValidator Validation Interval in the code below as user keeps telling me that they get logged out.

                app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    Provider = new CookieAuthenticationProvider
                    {
                        // Enables the application to validate the security stamp when the user logs in.
                        // This is a security feature which is used when you change a password or add an external login to your account.  
                        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                            validateInterval: TimeSpan.FromMinutes(30),
                            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                    },
                });

    Since the default ASP.NET Identity template only has validateInterval leaving the ExpireTimespan hidden and set to the default of 14 days.

    As per my understanding the Security Stamp is created anytime a password is created/changed or an external login is added/removed. If a user changes their password then the SecurityStamp will be updated. This results in any cookie that might have been issued previous to the password change to become invalid the next time the validateInterval occurs.

    User is telling me that they get logged out after 30 minutes of inactivity.

    Joe

    Tuesday, May 21, 2019 1:21 PM

All replies

  • User475983607 posted

    Have you verified the 30 minute timeout after nonuse?

    I would set the Cookie expiration time to whatever value you want.

                app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    ExpireTimeSpan = TimeSpan.FromMinutes(60),

    Then be sure you persist the cookie after authenticating.

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, true);

    Tuesday, May 21, 2019 2:46 PM
  • User657329123 posted

    I confirm and user get's kicked out after 30 minutes even with activity.  Any idea why? I would like user to get logged out after 30 mins of inactivity.  I'm using AD for authentication.

    Friday, May 24, 2019 6:05 PM
  • User475983607 posted

    I confirm and user get's kicked out after 30 minutes even with activity.  Any idea why?

    There's just not enough information to guess what you're doing.  I assume you are authenticating with Azure AD and using a protocol like OAuth/OIDC?  Otherwise, there's no reason to use Identity.  My best guess is that you configured the auth token to expire after 30 minutes and your not refreshing the token.

    Friday, May 24, 2019 6:20 PM