使ASP.NET Identity 2.0登录无效而不删除应用程序cookie [英] Invalidate ASP.NET Identity 2.0 login without removing the application cookie

问题描述

背景

Background

我正在处理的应用程序在几个不同的域上运行，它们都共享相同的数据库和IIS进程.用户可以通过单击链接在这些域之间切换，并且应该保持登录状态.为此，当单击交换域链接时，我在数据库中创建一个条目，其中包含Identity 2应用程序cookie的当前值(默认情况下命名为.AspNet.ApplicationCookie).然后，将用户重定向到新域，在该域​​中，cookie的值将从数据库中提取并在该域上进行设置.

The application I'm working on is running on several different domains, all sharing the same database and IIS process. The user may switch between these domains by clicking a link, and should remain logged in when doing so. To accomplish this, when the switch domain link is clicked I create an entry in the database which contains the current value of the Identity 2 application cookie (named .AspNet.ApplicationCookie by default). The user is then redirected to the new domain, where the value of the cookie is pulled from the database and set on that domain.

此技术有效，但是问题在于，从一个域注销不会使用户注销其他域，因为cookie只会从用户恰巧退出时所在的域中清除.

This technique is working, but the problem is that logging out on one domain doesn't log the user out on the other domains because the cookie only gets cleared from the domain that the user happens to be on when he logs out.

问题

Question

是否有一种方法可以使应用程序cookie在注销时无效，因此，当它仍然存在的域(大概是尝试授权请求)上被读取时，它将被忽略并从该域中删除. ，要求用户再次登录?

我尝试取消注释并在CookieAuthentication配置中设置OnValidateIdentity回调.听起来这可能与我想做的事情有关，但似乎并没有单独做任何事情.

I've tried uncommenting and setting up the OnValidateIdentity callback within the CookieAuthentication configuration. It sounds like this might be related to what I want to do but doesn't seem to do anything on its own.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/"),
    CookieName = ApplicationCookieKey, // a string constant
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User, Guid>(
            validateInterval: TimeSpan.FromSeconds(1),
            getUserIdCallback: ((identity) => { return identity.GetUserId(); } ),
            regenerateIdentityCallback: async (manager, user) => await manager.GenerateUserIdentityAsync(user))
    },
});

GenerateUserIdentityAsync方法:

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(User user)
{
    // Note the authenticationType must match the one 
    // defined in CookieAuthenticationOptions.AuthenticationType
    var userIdentity = await CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
    // Add custom user claims here
    return userIdentity;
}

推荐答案

我尝试取消注释并设置OnValidateIdentity回调 在CookieAuthentication配置中.听起来像这样 可能与我想做的事情有关，但似乎什么也没做

I've tried uncommenting and setting up the OnValidateIdentity callback within the CookieAuthentication configuration. It sounds like this might be related to what I want to do but doesn't seem to do anything on its own.

仅在更新SecurityStamp时触发.否则，它什么都不做.您可以通过调用userManager.UpdateSecurityStamp()

This is only triggered when the SecurityStamp gets updated. Otherwise it does nothing. You can manually trigger it by calling userManager.UpdateSecurityStamp()

这篇关于使ASP.NET Identity 2.0登录无效而不删除应用程序cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！