blowdart
commented
6 years ago @HaoK
Closed tiljanssen closed 6 years ago
blowdart
commented
6 years ago @HaoK
HaoK
commented
6 years ago Moving to preview1 since this is a product issue not a intrastructure/mq type thing
HaoK
commented
6 years ago @blowdart @ajcvickers we actually can't stop registering the security stamp since this is all during configure services, we don't have the final store until the service provider is built, so we must always register the validator.
Today we reject all cookies when the store doesn't support security stamp, so that is why the cookies are invalidated every 30 minutes. Maybe the tactical fix we can make here is to just consider cookies always valid when security stamps aren't supported, so instead of getting logged out every validation interval, they will just get a new cookie at that time always.
Sound reasonable?
blowdart
commented
6 years ago Yea that seems the right way to go
ajcvickers
commented
6 years ago Agreed,
HaoK
commented
6 years ago
If the UserStore does not implement IUserSecurityStampStore, most functionality regarding security stamps will be skipped, but AddIdentity() does register a validation on the securityStamp every 30 minutes.
This results in the confusing behaviour that the user is logged out after 30 minutes, even though the cookies did not expire.
AddIdentity should check whether the UserSecurityStampStore is supported before registering the check, and either throw, or skip the check.
See also #1425