什么是ASP.NET身份的IUserSecurityStampStore＆LT;＆TUSER GT;接口？ [英] What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?

问题描述

看着ASP.NET身份（在ASP.NET新的会员实现），我碰到这个接口实现的时候来到我的 UserStore ：

Looking at ASP.NET Identity (new membership implementation in ASP.NET), I came across this interface when implementing my own UserStore:

//Microsoft.AspNet.Identity.Core.dll

namespace Microsoft.AspNet.Identity
{ 
    public interface IUserSecurityStampStore<TUser> :
    {
        // Methods
        Task<string> GetSecurityStampAsync(TUser user);
        Task SetSecurityStampAsync(TUser user, string stamp);
    }
}

IUserSecurityStampStore 由默认实施 EntityFramework.UserStore＆LT; TUSER＆GT; 基本上获取和设置 TUser.SecurityStamp 属性。

IUserSecurityStampStore is implemented by the default EntityFramework.UserStore<TUser> which essentially get and set the TUser.SecurityStamp property.

一些更多的挖掘后，似乎一个 SecurityStamp 是的Guid 是新近在关键点产生的在的UserManager （例如，更改密码）。

After some more digging, it appears that a SecurityStamp is a Guid that is newly generated at key points in the UserManager (for example, changing passwords).

我真的不能破译远远超出这一点，因为我在反射研究这个code。几乎所有的符号和异步信息已被优化掉了。

I can't really decipher much beyond this since I'm examining this code in Reflector. Almost all the symbol and async information has been optimized out.

此外，谷歌一直没有太大的帮助。

Also, Google hasn't been much help.

• 什么是 SecurityStamp 在ASP.NET的身份又是什么用的？


• 是否 SecurityStamp 创建身份验证cookie时起到什么作用？


• 是否有任何安全后果，或需要与该采取precautions？比如，不要向下游发送这个值给客户？

• What is a SecurityStamp in ASP.NET Identity and what is it used for?
• Does the SecurityStamp play any role when authentication cookies are created?
• Are there any security ramifications or precautions that need to be taken with this? For example, don't send this value downstream to clients?

来源$ C ​​$ C可以在这里找到：

Source code available here:

• https://github.com/aspnet/Identity/


• https://github.com/aspnet/Security/

• https://github.com/aspnet/Identity/
• https://github.com/aspnet/Security/

推荐答案

因此​​，这基本上意味着重新present您的用户凭据的当前快照。所以，如果没有什么变化，邮票将保持不变。但是，如果用户的密码被更改，或登录被删除（取消链接您的谷歌/ FB账号），邮票将发生变化。这是需要的东西像自动签约用户/拒绝老cookie时发生这种情况，这是在未来2.0功能。

So this is basically meant to represent the current snapshot of your user's credentials. So if nothing changes, the stamp will stay the same. But if the user's password is changed, or a login is removed (unlink your google/fb account), the stamp will change. This is needed for things like automatically signing users/rejecting old cookies when this occurs, which is a feature that's coming in 2.0.

身份是不是开源的，但它的目前在管道仍。

Identity is not open source yet, its currently in the pipeline still.

编辑：更新了2.0.0 做的主要目的在 SecurityStamp 是使登出无处不在。其基本思路是，只要相关的一些安全性的用户，如密码已更改，这是一个好主意，自动失效在cookie中的任何现有的迹象，因此，如果您的密码/帐户是previously攻破，攻击者不再访问。

Updated for 2.0.0. So the primary purpose of the SecurityStamp is to enable sign out everywhere. The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.

在2.0.0我们增加了如下配置勾 OnValidateIdentity 方法在 CookieMiddleware 看 SecurityStamp 并拒绝cookies时，它已经改变了。它还会自动从数据库刷新用户的声明每个 refreshInterval 如果印章是不变的（这需要照顾之类的角色转换等）

In 2.0.0 we added the following configuration to hook the OnValidateIdentity method in the CookieMiddleware to look at the SecurityStamp and reject cookies when it has changed. It also automatically refreshes the user's claims from the database every refreshInterval if the stamp is unchanged (which takes care of things like changing roles etc)

app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

如果您的应用程序要明确触发这种行为，它可以调用：

If your app wants to trigger this behavior explicitly, it can call:

UserManager.UpdateSecurityStampAsync(userId);

这篇关于什么是ASP.NET身份的IUserSecurityStampStore＆LT;＆TUSER GT;接口？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！