1

tldr: question: What is proffered way of authentication cookie or silent renew and why ?

I have a react app with .net core backend and identity server 4 as authentication.

Basically I have two apps

  1. identity server (ef core, asp identity, own database)
  2. web app(react + .net core backend, own database)

And now I need to make authentication. I used cookie auth with long cookie expiration (180 days), so user doesn't need to sign in every time. And it is working well. The only problem is that I can't sign out user when I want. I mean if user changes password (because he changes it in identity server not web app) I should sign out him from web app. But I can't since he has still valid cookie.

And now I'm reading something about silent renew method. I guess that silent renew would solve this problem. But doesn't it overload the server ? Or what is the correct way of doing authentication in react app and why ?

thank you very much

ferdinand
  • 970
  • 1
  • 7
  • 14

1 Answers1

1

For AspNet identity, you will want to look at the SecurityStamp. This is a column in the user table and stored in the encrypted cookie, and is validated against the server at regular intervals. It changes when a user updates their password, and you can also trigger the change manually as well (for example, having a “sign out everywhere” link that will effectively invalidate all existing cookies.

Here is a great explanation of what is is and how to overrride the validation interval if needed: What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?

For initial testing you will probably want to set this interval to a very low time to actually see the change taking effect.

Kyle Dodge
  • 834
  • 7
  • 17