OnValidateIdentity disables the MVC OWIN remember me option

Question

When I activate the OWIN logout-everywhere feature via security stamps and use the OnValidateIdentity-Callback of the CookieAuthenticationProvider with the SecurityStampValidator-class, the user is logged out every time he closes the browser.

provider.OnValidateIdentity =
    SecurityStampValidator.OnValidateIdentity<MyUserManager, MyUser>(
        System.TimeSpan.FromSeconds(10),(manager, user) => {
            return user.GenerateUserIdentityAsync(manager);                                                       
        });

However, when I do the plumbing myself (lookup and comparison of the security stamps, rejecting or renewing the identity) in the OnValidateIdentity-callback, everything seems to work fine.

Is this a known bug, or do I miss here something? Or is there a good documentation about the CookieAuthenticationProvider and the use of OnValidateIdentity?
Digging with google only shows me some simple samples, but gives no further insight.

Additional information

I use an own implementation of the UserStorage which saves all the data in a database
I noted that every page request calls two times the GetSecurityStampAsync of the UserStorage, wheras when I use my implementation, only one call is done.
Installed Identity Version is 2.0.1

score 4 · Answer 1 · edited Oct 21 '15 at 10:26

4

This is basically a bug, the regeneration of the cookie should respect the current Remember Me option on the cookie. As a workaround, you can copy the OnValidateIdentity code and feed in the current context properties to flow the Persistent mode through:

context.OwinContext.Authentication.SignIn(context.Properties, identity);

edited Oct 21 '15 at 10:26

LeftyX

35,328
21
132
193

answered Jun 23 '14 at 22:15

Hao Kung

28,040
6
84
93

score 3 · Accepted Answer · answered Apr 12 '15 at 07:53

3

This is resolved in ASP.NET Identity 2.2. See https://aspnetidentity.codeplex.com/workitem/2319

answered Apr 12 '15 at 07:53

robrich

13,017
7
36
63

HCL · Answer 3 · 2014-06-22T16:15:16.013

0

I have found the following code in the disassembly of SecurityStampValidator.OnValidateIdentity:

// .. some other code
// ...
ClaimsIdentity claimsIdentity = await regenerateIdentityCallback(userManager, tUser);
if (claimsIdentity != null){
context.get_OwinContext().get_Authentication().SignIn(new ClaimsIdentity[]
    {
       claimsIdentity
    });
}

It seems to me, that the SignIn-operation is incomplete and should set the remember-me option? Therefore I assume that the implementation of SecurityStampValidator is buggy.

edited Jun 22 '14 at 16:15

answered Jun 22 '14 at 15:57

HCL

36,053
27
163
213

My research and debugging shows that 'Ispersistent' is added as a claim on the user's identity. – OzBob May 01 '15 at 06:46

OnValidateIdentity disables the MVC OWIN remember me option

3 Answers3

Linked