locked
Cookie middleware in MVC 6 RRS feed

  • Question

  • User52625461 posted

    I am trying to understand the cookie Middleware authentication behavior and its flow. However, I am not able to understand that. Below is my issue

    1. Does cookie has to be set/get with ClaimsIdentity and not using asp.net identity ?
    2. I have implemented Remember Me functionality which creates the cookie, so in this I need to use Cookie middleware OR not ?, for this I am using below code

      var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: true);
      

      So,  considering the above way how can I validate the user based on cookie ? which is the preferred way for creating cookie 1 OR 2 point ?

    1. How can I validate user based on cookie using claims identity ?

    Any help on this appreciated !

    Tuesday, May 3, 2016 4:24 AM

All replies

  • User-491950272 posted

    Firsly, Cookie can't be set explicitly, it is a token generated by Identity.

    Secondly Remember Me functionality (as you said) does not create the cookie. Cookie is created by SignInManager weather you implement Remember Me or not.

    The preferred way is the 2nd way, because in this case, you don't have to add users claims explicitly.

    Tuesday, May 3, 2016 1:25 PM
  • User52625461 posted

    Firsly, Cookie can't be set explicitly, it is a token generated by Identity.

    Secondly Remember Me functionality (as you said) does not create the cookie. Cookie is created by SignInManager weather you implement Remember Me or not.

    The preferred way is the 2nd way, because in this case, you don't have to add users claims explicitly.

    So, can you please tell me how can I validate the cookie using the 2nd way ?

    Wednesday, May 4, 2016 8:15 AM
  • User-2057865890 posted

    Hi rohitpundlik,

    ASP.NET Identity comes with a built-in Remember Me feature on the Login form, it's supposed to keep a user logged in (via an authentication cookie) for a predetermined period of time set via your code settings.

    ASP.NET Identity Remember Me

    ASP.NET-Identity-Cookie-Authentication-Timeouts

    Best Regards,

    Chris

    Tuesday, May 10, 2016 11:26 AM
  • User-2004423278 posted

    The problem with the "built-in Remember Me feature on the Login form" is that it still validates login even if the user changed his password after the cookie was created.

    Tuesday, May 21, 2019 6:01 PM
  • User-474980206 posted

    typically the cookie contains all info, and only the encryption is checked. You can validate the security stamp (and thus detect a password change), but as this requires a database hit on every request (to get the current stamp to compare), it not the default. Just turn on security stamp validation if you want this feature.

    Tuesday, May 21, 2019 8:01 PM