什么是 ASP.NET Identity 的 IUserSecurityStampStore<TUser>界面? [英] What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?

问题描述

看ASP.NET Identity(ASP.NET中的新成员实现)，我在实现自己的UserStore时遇到了这个接口:

Looking at ASP.NET Identity (new membership implementation in ASP.NET), I came across this interface when implementing my own UserStore:

//Microsoft.AspNet.Identity.Core.dll

namespace Microsoft.AspNet.Identity
{ 
    public interface IUserSecurityStampStore<TUser> :
    {
        // Methods
        Task<string> GetSecurityStampAsync(TUser user);
        Task SetSecurityStampAsync(TUser user, string stamp);
    }
}

IUserSecurityStampStore 由默认的 EntityFramework.UserStore 实现，它本质上是获取和设置 TUser.SecurityStamp 属性.

IUserSecurityStampStore is implemented by the default EntityFramework.UserStore<TUser> which essentially get and set the TUser.SecurityStamp property.

进一步挖掘后，似乎SecurityStamp 是一个Guid，它是在UserManager 的关键点处新生成的(例如, 更改密码).

After some more digging, it appears that a SecurityStamp is a Guid that is newly generated at key points in the UserManager (for example, changing passwords).

除此之外我真的无法破译更多内容，因为我正在 Reflector 中检查这段代码.几乎所有的符号和异步信息都被优化了.

I can't really decipher much beyond this since I'm examining this code in Reflector. Almost all the symbol and async information has been optimized out.

此外，Google 也帮不上什么忙.

Also, Google hasn't been much help.

• ASP.NET Identity 中的 SecurityStamp 是什么?它的用途是什么?
• 在创建身份验证 cookie 时 SecurityStamp 有什么作用吗?
• 是否有任何安全后果或需要采取的预防措施?例如，不要将此值向下游发送给客户端?

• What is a SecurityStamp in ASP.NET Identity and what is it used for?
• Does the SecurityStamp play any role when authentication cookies are created?
• Are there any security ramifications or precautions that need to be taken with this? For example, don't send this value downstream to clients?

此处提供源代码:

• https://github.com/aspnet/Identity/
• https://github.com/aspnet/Security/

推荐答案

这表示您的用户凭据的当前快照.因此，如果没有任何变化，邮票将保持不变.但是，如果用户的密码被更改，或者登录被删除(取消您的 google/fb 帐户的链接)，则图章将更改.这对于在发生这种情况时自动签署用户/拒绝旧 cookie 之类的事情是必需的，这是 2.0 中即将推出的一项功能.

This is meant to represent the current snapshot of your user's credentials. So if nothing changes, the stamp will stay the same. But if the user's password is changed, or a login is removed (unlink your google/fb account), the stamp will change. This is needed for things like automatically signing users/rejecting old cookies when this occurs, which is a feature that's coming in 2.0.

Identity 尚未开源，目前仍在开发中.

Identity is not open source yet, its currently in the pipeline still.

针对 2.0.0 进行了更新. 所以 SecurityStamp 的主要目的是在任何地方启用注销.基本思想是，每当用户的安全相关内容发生更改时，例如密码，自动使任何现有的登录 cookie 失效是一个好主意，因此如果您的密码/帐户以前被盗用，攻击者将不再具有访问权限.

Updated for 2.0.0. So the primary purpose of the SecurityStamp is to enable sign out everywhere. The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.

在 2.0.0 中，我们添加了以下配置来挂钩 CookieMiddleware 中的 OnValidateIdentity 方法以查看 SecurityStamp 并在以下情况下拒绝 cookie它已经改变了.如果标记不变(这会处理诸如更改角色等事情)，它还会在每个 refreshInterval 自动从数据库刷新用户的声明

In 2.0.0 we added the following configuration to hook the OnValidateIdentity method in the CookieMiddleware to look at the SecurityStamp and reject cookies when it has changed. It also automatically refreshes the user's claims from the database every refreshInterval if the stamp is unchanged (which takes care of things like changing roles etc)

app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

如果你的应用想要明确触发这个行为，它可以调用:

If your app wants to trigger this behavior explicitly, it can call:

UserManager.UpdateSecurityStampAsync(userId);

这篇关于什么是 ASP.NET Identity 的 IUserSecurityStampStore<TUser>界面?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！