Rick-Anderson
commented
5 years ago Would you mind opening this issues with the "content feedback" button at the bottom of the problem page? It helps us keep track of issues related to docs and gets the attention of the doc owners.
You'll probably get a faster answer on a support forum, such as Stack Overflow, or a support chat, such as Slack or Gitter. If you post the question elsewhere, please update this issue with the link.
Hey guys, so I'm working on an asp.net web application and I'm having trouble figuring out:
1.) When is the Authentication cookie bound to the current authenticated user?
2.) How does the bind happen?
Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.
Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night
I'm using the default [ASP.NET Web Application(.NET Framework)] template,
Here is the configure sign in cookie,
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(1),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
SlidingExpiration = false,
ExpireTimeSpan = TimeSpan.FromMinutes(2)
});
And here is the Login post form which confirms and authenticates a user with no cookie reference // POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, change to shouldLockout: true
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
switch (result)
{
case SignInStatus.Success:
return RedirectToLocal(returnUrl);
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });
case SignInStatus.Failure:
default:
ModelState.AddModelError("", "Invalid login attempt.");
return View(model);
}
}