3

I generate a custom user token in an ApiController and email it to the user with a callback link using

var token = userManager.GenerateUserToken(user.Id, "ConfirmAction");
var callbackUrl = this.Url.Link("Default", new { controller = "AccountController", action = "ActionXYZ", new { userId = user.Id, token = token} });

When the user click the link I handle it in the MVC Controller with

var validToken = await userManager.VerifyUserTokenAsync(user.Id, "ConfirmAction", token);
if(validToken)
{
  // Can token be cancelled to disallow re-use?

}

Is there a way to prevent the token being used more than once without saving the token in the database? Eg some kind of earlier expiry for a specific token?

  • Did you try reusing the same token again? Did it work? – Chetan Nov 04 '17 at 22:05
  • Yes, the link works multiple times for up to 24 hours. It then expires after 24 hours. However, I only want the link to work once only. –  Nov 04 '17 at 22:07

1 Answers1

2

Yes you can , for example you want to send the user a link for password reset , and you want the user to use the link one time only , first you need to create a token based on data that will be changed after the user clicked the link , for example if user want to change the password, use the old password or last time user logged in as part of the token (after using some security key to generated hashed-salted string of the old password to be included in the token) , so if the user click on the link and changed the password the old token will no longer be valid as you will compare its validity with the current password (which is already changed)
please check this question on Stackoverflow if you need help on how to created hash-salted password

Cyber Progs
  • 3,656
  • 3
  • 30
  • 39