How does OnValidateIdentity ASP.NET Identity work

Multi tool use


How does OnValidateIdentity ASP.NET Identity work
I'm trying to understand better how .NET's Identity OnValidateIdentity method works exactly. I have set up this piece of code in my application like following:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieName = "LoginCookie",
ExpireTimeSpan = TimeSpan.FromHours(1),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromHours(1),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
Does OnValidateIdentity here has a role to check when user accesses my website to see how old is his cookie, and if it's older than the one that I've set in here(which is 1 hour) - the user will be forced to relog into the application.
Is this how it works exactly?
1 Answer
1
Well, why not read the source code yourself to gain full understanding?
In short this method will check if value of SecurityStamp on user record have changed. It will do the checking every hour (in your set up). So if SecurityStamp have changed, the cookie is invalidated. If SecurityStamp is unchanged from the last time it checked, the value of the cookie is updated (with new timestamp) but user is not logged out.
This feature is useful when user changes password and would like to invalidate all existing auth-cookies in all browsers.
A bit more detail in my blog post.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.