当前位置: 动力学知识库 > 问答 > 编程问答 >

ASP.net Identity cookie inconsistencies with two factor authentication

问题描述:

When I set up ASP.net Identity and leave two factor authentication disabled, everything seems to work according to plan. However, when I enable two factor authentication I notice the following inconsistencies:

1) If you leave "Remember me" and "Remember this browser" unchecked, the authentication cookie is created as a session cookie and the remember browser cookie is not created. This works as expected.

2) If you check "Remember me" and leave "Remember this browser" unchecked, the authentication cookie is created as a stored cookie and the remember browser cookie is not created. This works as expected.

3) If you leave "Remember me" unchecked, and check "Remember this browser", both cookies are created as session cookies. This does not work as expected. I would expect "Remember this browser" to create a stored cookie. As soon as you close the browser you have to use the verification code on the next login.

4) If you check both "Remember Me" and "Remember this Browser", both cookies are created as stored cookies with an expiration of 2 weeks (or the value specified in CookieAuthenticationOptions in Startup.Auth.cs). I would expect to be able to set the browser cookie expiration independently of the user auth cookie.

5) I tried manually setting a longer expiration timeout for the browser cookie in the VerifyCode action on the AccountController using the following code:

if (model.RememberBrowser)

{

var user = await UserManager.FindByIdAsync(await SignInManager.GetVerifiedUserIdAsync());

var rememberBrowserIdentity = AuthenticationManager.CreateTwoFactorRememberBrowserIdentity(user.Id.ToString());

AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTime.UtcNow.AddDays(365) }, rememberBrowserIdentity);

}

This resulted in both the authentication cookie and the two factor remember computer cookie having a 1 year expiration date. I would have expected the authentication cookie to respect the value in the config, and the remember browser cookie to expire in 1 year. If you log out and log back in, the authentication cookie correctly uses the value in the configuration.

Is there a way to independently configure theses cookie expirations in ASP.net Identity, or any work-arounds?

分享给朋友:
您可能感兴趣的文章:
随机阅读: