使ASP.NET Core 3中的所有身份验证Cookie无效
在ASP.NET Core 3上,当用户注销时,我想使不同设备上存在的所有cookie无效。用户可能已经从几个不同的浏览器中登录,并且用户可以选择使用持续30天的“记住我”。 到目前为止,我了解解决此问题的理解:
- 使用我在用户级别存储在数据库中的SecurityStamp(GUID)(GUID),
- 将此安全键列在登录处的索赔中
- ,当logout => gt; 当HTTP请求到达具有[授权]属性的控制器的方法时,更改数据库中的安全措辞
- ,检查安全键是否匹配数据库中存储的一个。如果不是,请重定向到登录页面。
我的问题是关于点4)在何处以及如何在ASP.NET核心框架中编写此SecurityStamp检查并重定向到登录页面?
这是我在登录时间
string securityStamp = Guid.NewGuid().ToString();
saveSecurityStampInDB(securityStamp, user.Id);
var userClaims = new List<Claim>()
{
new Claim("id", user.Id.ToString()),
new Claim("securityStamp", securityStamp),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string")
};
var grantMyIdentity = new ClaimsIdentity(userClaims, "User Identity");
var userPrincipal = new ClaimsPrincipal(new[] { grantMyIdentity });
if (rememberMe.HasValue && rememberMe.Value)
{
await HttpContext.SignInAsync(userPrincipal, new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTime.UtcNow.AddMonths(1)
});
}
else
{
await HttpContext.SignInAsync(userPrincipal);
}
更新时的代码: 我有自己的用户表,我不使用EntityFramework和整个内置身份管理。
On ASP.net CORE 3, when a user logout, I would like to invalidate all the cookies that exist on different devices. The user might have logged in from several different browsers, and the user has the option to use "Remember me" that lasts 30 days.
My understanding to solve this problem so far:
- Use a securityStamp (a GUID) that I store in the database at the user level
- Add this securityStamp in the Claims at login
- When logout => change the securityStamp in the database
- When http request arrives on a method of controller with [Authorize] attribute, check if the securityStamp match the one stored in the database. If not, redirect to login page.
My question is about point 4) where and how write this securityStamp check in the ASP.net CORE framework and redirect to login page ?
Here is my code at login time
string securityStamp = Guid.NewGuid().ToString();
saveSecurityStampInDB(securityStamp, user.Id);
var userClaims = new List<Claim>()
{
new Claim("id", user.Id.ToString()),
new Claim("securityStamp", securityStamp),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string")
};
var grantMyIdentity = new ClaimsIdentity(userClaims, "User Identity");
var userPrincipal = new ClaimsPrincipal(new[] { grantMyIdentity });
if (rememberMe.HasValue && rememberMe.Value)
{
await HttpContext.SignInAsync(userPrincipal, new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTime.UtcNow.AddMonths(1)
});
}
else
{
await HttpContext.SignInAsync(userPrincipal);
}
UPDATE:
I have my own user table, I don't use entityFramework and the whole built-in Identity management.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以使用
SecurityStamp属性和SecurityStampValidatorOptions.Validation Interval属性,以使登录用户的cookie无效。1. register
validation Interval在配置服务中usermanager.updatesecuritystampasmanc()
2.Add gzmyk.gif“ rel =” nofollow noreferrer“>
You can use the
SecurityStampProperty and theSecurityStampValidatorOptions.ValidationIntervalProperty to make the logout user's cookie invalid.1.Register
ValidationIntervalin ConfigureServices2.Add
userManager.UpdateSecurityStampAsync()in your Logout like belowResult: