3

I seem to have some trouble understanding the way Identity 2.0 and cookies work. ASP.NET MVC 5.

What I want: If a user logs in and he checks the checkbox 'Remember me', I don't want him to be logged out ever.. But what happens is: the user gets logged out after a certain timespan.

The 'Remember me' functionality works if the user closes the browser before the timespan. (When he reopens the website, he's still logged in.)

This is the code I have for signing in:

 public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
 {
      if (!ModelState.IsValid)
      {
           return View(model);
      }

      // Require the user to have confirmed their email before they can log on.
      var user = await UserManager.FindByNameAsync(model.Email);
      if (user != null)
      {
           if (!await UserManager.IsEmailConfirmedAsync(user.Id))
           {
                await SendEmailConfirmationTokenAsync(user.Id);

                ModelState.AddModelError("", "Gelieve eerst je e-mailadres te bevestigen.");
                return View(model);
            }
      }

      // This doesn't count login failures towards account lockout
      // To enable password failures to trigger account lockout, change to shouldLockout: true
      var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);
      switch (result)
      {
           case SignInStatus.Success:
                return RedirectToLocal(returnUrl);
           case SignInStatus.LockedOut:
                return View("Lockout");
           case SignInStatus.Failure:
           default:
                ModelState.AddModelError("", "Ongeldige aanmeldpoging.");
                return View(model);
      }
 }

And this is the code in Startup.Auth:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
 {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login"),
      ExpireTimeSpan = TimeSpan.FromMinutes(5),
      Provider = new CookieAuthenticationProvider
      {
           // Enables the application to validate the security stamp when the user logs in.
           // This is a security feature which is used when you change a password or add an external login to your account.

           OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, int>(
                validateInterval: TimeSpan.FromMinutes(10),
                regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
                getUserIdCallback: (id) => (id.GetUserId<int>()))
      }
 });

So I would expect the user to not be logged out after 5 minutes, because the isPersistent flag is set in the PasswordSignInAsync function.

Thanx for any help.

Kevin
  • 63
  • 6

1 Answers1

1

This is a known bug.

It can be fixed by replacing SecurityStampValidator.OnValidateIdentity with your own code - when the cookie is re-generated, it forgets to add "RememberMe" property in the new cookie and this makes the new cookie not persistent.

I think this has been resolved in v2.2, but this version is not out for production yet. And sadly I can't find the original bug-report for this now.

Community
  • 1
  • 1
trailmax
  • 34,305
  • 22
  • 140
  • 234