ASP.NET MVC身份SecurityStamp签到处无处不在 [英] Asp.net mvc identity SecurityStamp signout everywhere

问题描述

我想做的是将用户ID限制为一次只能登录到一台设备.例如，用户ID"abc"登录到他们的计算机.用户ID"abc"现在尝试从其手机登录.我想发生的是杀死他们计算机上的会话.

What I want to do is to limit a user ID to only being able to log in to one device at a time. For example, user ID "abc" logs in to their computer. User ID "abc" now tries to log in from their phone. What I want to happen is to kill the session on their computer.

我正在使用Asp.net mvc身份成员身份，并为此使用了SecurityStamp.这是我在帐户/登录"操作中的代码:

I'm using Asp.net mvc identity membership and using SecurityStamp for this purpose. This is my code in Account/Login action:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
    {
        var user = UserManager.FindByEmail(model.Email);
        var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
        await UserManager.UpdateSecurityStampAsync(user.Id);

根据UpdateSecurityStampAsync方法，文档说:为用户生成一个新的安全标记，用于SignOutEverywhere功能.但这是行不通的.

According to the UpdateSecurityStampAsync method doc says : Generate a new security stamp for a user, used for SignOutEverywhere functionality. But it doesn't work.

推荐答案

如果要在其他设备上启用cookie的即时失效，则每个请求都必须命中数据库以验证cookie.为此，您需要在Auth.Config.cs中配置Cookie无效，并将validateInterval设置为0:

If you want to enable instant invalidation of cookies on other devices, then every request must hit the database to validate the cookie. To do that you need to configure cookie invalidation in Auth.Config.cs and set validateInterval to 0:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.             
        OnValidateIdentity = SecurityStampValidator
                .OnValidateIdentity<UserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromSeconds(0),
                    regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }            
);

这篇关于ASP.NET MVC身份SecurityStamp签到处无处不在的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！