我正在使用ASP Identity进行身份验证。Statup.Auth.cs的一部分看起来像:
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity =
SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity:
(manager, user) =>
user.GenerateUserIdentityAsync(manager))
},
ExpireTimeSpan = TimeSpan.FromMinutes(Settings.Default.SessionExpireTimeoutInMinutes),
});
以及我登录方法的一部分:
SignInStatus result = await this.SignInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, shouldLockout: false);
如果用户选择了"记住我"选项,那么在大约30天之前,他不应该被注销。如果他不选择此选项,他应该在一段短时间后自动注销,比如说10分钟。此时,无论用户是否选择了该选项,他都将注销。
SecurityStampValidator
类中存在一个已知的错误,它在重置身份验证cookie时阻止了isPersistent
属性的保留。
这个问题应该已经解决了,所以你应该尝试更新所有的包,但有些人仍然有问题。
解决此问题的一种方法是编写自己的SecurityStampValidator
类。您可以在此处找到Microsoft源代码的版本。
以下是我尝试过的一些似乎有效的代码(我添加了带有AllowRefresh
和IsPersistent
属性集的AuthenticationProperties
):
using Microsoft.Owin.Security.Cookies;
using Owin;
using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.Owin.Security;
namespace Microsoft.AspNet.Identity.Owin
{
/// <summary>
/// Static helper class used to configure a CookieAuthenticationProvider to validate a cookie against a user's security stamp
/// </summary>
public static class MySecurityStampValidator
{
/// <summary>
/// Can be used as the ValidateIdentity method for a CookieAuthenticationProvider which will check a user's security stamp after validateInterval
/// Rejects the identity if the stamp changes, and otherwise will call regenerateIdentity to sign in a new ClaimsIdentity
/// </summary>
/// <typeparam name="TManager"></typeparam>
/// <typeparam name="TUser"></typeparam>
/// <param name="validateInterval"></param>
/// <param name="regenerateIdentity"></param>
/// <returns></returns>
public static Func<CookieValidateIdentityContext, Task> OnValidateIdentity<TManager, TUser>(TimeSpan validateInterval, Func<TManager, TUser, Task<ClaimsIdentity>> regenerateIdentity)
where TManager : UserManager<TUser, string>
where TUser : class, IUser<string>
{
return OnValidateIdentity<TManager, TUser, string>(validateInterval, regenerateIdentity, (id) => id.GetUserId());
}
/// <summary>
/// Can be used as the ValidateIdentity method for a CookieAuthenticationProvider which will check a user's security stamp after validateInterval
/// Rejects the identity if the stamp changes, and otherwise will call regenerateIdentity to sign in a new ClaimsIdentity
/// </summary>
/// <typeparam name="TManager"></typeparam>
/// <typeparam name="TUser"></typeparam>
/// <typeparam name="TKey"></typeparam>
/// <param name="validateInterval"></param>
/// <param name="regenerateIdentityCallback"></param>
/// <param name="getUserIdCallback"></param>
/// <returns></returns>
public static Func<CookieValidateIdentityContext, Task> OnValidateIdentity<TManager, TUser, TKey>(TimeSpan validateInterval, Func<TManager, TUser, Task<ClaimsIdentity>> regenerateIdentityCallback, Func<ClaimsIdentity, TKey> getUserIdCallback)
where TManager : UserManager<TUser, TKey>
where TUser :class, IUser<TKey>
where TKey : IEquatable<TKey>
{
return async (context) =>
{
DateTimeOffset currentUtc = DateTimeOffset.UtcNow;
if (context.Options != null && context.Options.SystemClock != null)
{
currentUtc = context.Options.SystemClock.UtcNow;
}
DateTimeOffset? issuedUtc = context.Properties.IssuedUtc;
// Only validate if enough time has elapsed
bool validate = (issuedUtc == null);
if (issuedUtc != null)
{
TimeSpan timeElapsed = currentUtc.Subtract(issuedUtc.Value);
validate = timeElapsed > validateInterval;
}
if (validate)
{
var manager = context.OwinContext.GetUserManager<TManager>();
var userId = getUserIdCallback(context.Identity);
if (manager != null && userId != null)
{
var user = await manager.FindByIdAsync(userId).ConfigureAwait(false);
bool reject = true;
// Refresh the identity if the stamp matches, otherwise reject
if (user != null && manager.SupportsUserSecurityStamp)
{
string securityStamp = context.Identity.FindFirstValue(Constants.DefaultSecurityStampClaimType);
if (securityStamp == await manager.GetSecurityStampAsync(userId).ConfigureAwait(false))
{
reject = false;
// Regenerate fresh claims if possible and resign in
if (regenerateIdentityCallback != null)
{
ClaimsIdentity identity = await regenerateIdentityCallback.Invoke(manager, user);
if (identity != null)
{
var isPersistent = context.Properties.IsPersistent;
AuthenticationProperties prop = new AuthenticationProperties();
prop.AllowRefresh = true; //without this, will log out after 30 minutes
prop.IsPersistent = isPersistent; //without this, will log out after 30 minutes, or whenever the browser session is ended
context.OwinContext.Authentication.SignIn(prop, identity);
}
}
}
}
if (reject)
{
context.RejectIdentity();
context.OwinContext.Authentication.SignOut(context.Options.AuthenticationType);
}
}
}
};
}
}
}
然后,您可以通过在Startup.Auth.cs
文件中将SecurityStampValidator
更改为MySecurityStampValidator
来使用它,假设您使用的是标准MVC项目模板。
在我的案例中,问题出在machineKey中。托管我网站的服务器不断更改其用于加密和解密票证的machineKey,解决方案是在Web.Config.中分配一个固定的machineKey
请在此处查看此解决方案。