Asp.Net身份与2FA - 切记不要保留浏览器cookie会后 [英] Asp.Net Identity with 2FA - remember browser cookie not retained after session

问题描述

我使用的是最新的样本code为MVC5.2与Asp.Identity和双因素身份验证。

I'm using the latest sample code for MVC5.2 with Asp.Identity and Two Factor authentication.

使用2FA启用后，当用户登录时，得到提示为code（通过电话或电子邮件发送），他们必须记住浏览器选项 - 使他们没有得到要求$ C在该浏览器再次$ CS。

With 2FA enabled, when a user logins, the get prompted for a code (sent by phone or email) and they have the option to "Remember Browser" - so that they don't get ask for codes again on that browser.

这是在验证code动作处理

This is handled in the VerifyCode action

var result = await SignInManager.TwoFactorSignInAsync(model.Provider, model.Code, isPersistent:  model.RememberMe, rememberBrowser: model.RememberBrowser);

注意 model.RememberMe 中的默认模板不使用所以它是假的。

Note that model.RememberMe is not used in the default templates so it is false.

我发现，当我这样做的 .AspNet.TwoFactorRememberBrowser 时设置，在会话结束时到期（所以它不记得浏览器）

I find when I do this the .AspNet.TwoFactorRememberBrowser that gets set, expires on session end (so it does not remember the browser)

现在如果我设置 isPersistent = TRUE ， .AspNet.TwoFactorRememberBrowser 获得30天的有效期，这是伟大，但 .AspNet.ApplicationCookie 也得到了30天到期 - 这意味着，当我关闭浏览器，然后重新打开，我自动登录

Now if I set isPersistent = true, .AspNet.TwoFactorRememberBrowser gets an expiration of 30 days which is great, but the .AspNet.ApplicationCookie also gets a 30 day expiration - which means that when I close the browser and re-open, I am automatically logged in.

我想它，以便它不坚持我的登录，但是它会持续我的选择记住2FA code的。即用户应该始终有登录，但他们不应该被要求提供一个2FA code。如果他们已经保存。

I want it so that it doesn't persist my login, but that it will persist my choice of remembering the 2FA code. Ie the user should always have to login, but they should not be asked for a 2fa code if they have already save it.

有其他人看到了这一点，还是我失去了一些东西？

Has anybody else seen this, or am I missing something?

推荐答案

它似乎并不像这样code的目的是要设置多个身份的cookie在同一个请求/响应，因为OWIN的cookie处理程序结束共享相同AuthenticationProperties。这是因为，AuthenticationResponseGrant具有单个主体，但主体可以具有多个身份

It doesn't seem like this code was designed to set more than one identity cookie in the same request/response because the OWIN cookie handlers end up sharing the same AuthenticationProperties. This is because the AuthenticationResponseGrant has a single principal, but the principal can have multiple identities.

您可以通过改变再恢复AuthenticationProperties具体到2FA的cookie提供商ResponseSignIn和ResponseSignedIn事件解决这个错误

You can workaround this bug by altering and then restoring the AuthenticationProperties in the ResponseSignIn and ResponseSignedIn events specific to the 2FA cookie provider:

        //Don't use this.
        //app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);

        //Set the 2FA cookie expiration and persistence directly
        //ExpireTimeSpan and SlidingExpiration should match the Asp.Net Identity cookie setting
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie,
            AuthenticationMode = AuthenticationMode.Passive,
            CookieName = DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie,
            ExpireTimeSpan = TimeSpan.FromHours(2),
            SlidingExpiration = true,
            Provider = new CookieAuthenticationProvider
            {
                OnResponseSignIn = ctx =>
                {
                    ctx.OwinContext.Set("auth-prop-expires", ctx.Properties.ExpiresUtc);
                    ctx.OwinContext.Set("auth-prop-persist", ctx.Properties.IsPersistent);
                    var issued = ctx.Properties.IssuedUtc ?? DateTimeOffset.UtcNow;
                    ctx.Properties.ExpiresUtc = issued.AddDays(14);
                    ctx.Properties.IsPersistent = true;
                },
                OnResponseSignedIn = ctx =>
                {
                    ctx.Properties.ExpiresUtc = ctx.OwinContext.Get<DateTimeOffset?>("auth-prop-expires");
                    ctx.Properties.IsPersistent = ctx.OwinContext.Get<bool>("auth-prop-persist");
                }
            }
        });

确认设置相同的ExpireTimeSpan和SldingExpiration作为您的主要Asp.Net身份的cookie preserve这些设置（因为它们在AuthenticationResponseGrant得到合并）。

Make sure to set the same ExpireTimeSpan and SldingExpiration as your main Asp.Net Identity cookie to preserve those settings (since they get merged in the AuthenticationResponseGrant).

这篇关于Asp.Net身份与2FA - 切记不要保留浏览器cookie会后的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！