4,829 questions
the only way to validate the security token is via a database hit to get the saved value. If you want on every request, then set to 0, else the maximum time you want allow access.
How to validate security stamp on next request
iKingNinja
120
Reputation points
When using ASP.NET Core Identity how can I make it so a user's security stamp will be validated on the next request they make? For context I have a logout all sessions feature and I want to logout other sessions immediately on the next request after the account owner disconnects all. However Identity has an interval of X minutes before validating the security stamp of a session, so how can I make this immediate without setting the validation interval to 0?
Developer technologies | ASP.NET | ASP.NET Core
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 78,161 Reputation points Volunteer Moderator2024-11-03T19:53:49.16+00:00 -
iKingNinja 120 Reputation points
2024-11-03T20:06:42.07+00:00 So I'm guessing the only way would be to store the security stamp in a cache like Redis instead of the cookie but I'm wondering if at this point it wouldn't be better to just use server sessions for everything
-
Bruce (SqlWork.com) 78,161 Reputation points Volunteer Moderator
2024-11-04T23:06:21.64+00:00 the security stamp in the cookie is compared to the persisted value in the database. you could use redis as the persistent instead of the database for the compare. You would need to add the compare logic.
note: as the user table is not typically large, redis may be slower then the database hit.
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
SurferOnWww 4,721 Reputation points2024-11-04T04:01:56.2633333+00:00 so how can I make this immediate without setting the validation interval to 0?
Please try calling
userManager.UpdateSecurityStampAsync(user)when logging out.Please refer to the following Microsoft document for details:
ISecurityStampValidator and SignOut everywhere
"Call
userManager.UpdateSecurityStampAsync(user)to force existing cookies to be invalided the next time they are checked."-
SurferOnWww 4,721 Reputation points
2024-11-04T09:25:49.3266667+00:00 Although calling
userManager.UpdateSecurityStampAsync(user)will change the SecurityStamp in the database immediately, however, please note that the change does not mean immediate invalidation of user authentication.ASP.NET keeps checking the SecurityStamp with the interval set in
SecurityStampValidatorOptions.ValidationIntervaland invalidates authentication at the end of the interval in which the SecurityStamp has been changed.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-11-04T05:56:08.0733333+00:00 Hi @iKingNinja,
As SurferOnWww said, you could use the
userManager.UpdateSecurityStampAsync(user)method and theSecurityStampValidatorOptions.ValidationIntervalProperty to make the logout user's cookie invalid.In the Asp.net core Identity
Logout.cshtml.cspage (if you can't find this page from the Identity Areas, see Scaffold Identity in ASP.NET Core projects), in theOnPostmethod, find the current user and update the Security Stamp:public class LogoutModel : PageModel { private readonly SignInManager<IdentityUser> _signInManager; private readonly ILogger<LogoutModel> _logger; private readonly UserManager<IdentityUser> _userManager; public LogoutModel(SignInManager<IdentityUser> signInManager, ILogger<LogoutModel> logger, UserManager<IdentityUser> userManager) { _signInManager = signInManager; _logger = logger; _userManager = userManager; } public async Task<IActionResult> OnPost(string returnUrl = null) { //get the current user. var userId = _userManager.GetUserId(User); var user = await _userManager.FindByIdAsync(userId); //update the security stamp await _userManager.UpdateSecurityStampAsync(user); //signoutasync clears the user's claims stored in the cookie. await _signInManager.SignOutAsync(); _logger.LogInformation("User logged out."); if (returnUrl != null) { return LocalRedirect(returnUrl); } else { // This needs to be a redirect so that the browser performs a new // request and the identity for the user gets updated. return RedirectToPage(); } } }Then, in the Program.cs file, add the following code to modify the validation interval.
builder.Services.Configure<SecurityStampValidatorOptions>(options => { // Force Identity's security stamp to be validated every 10 seconds. options.ValidationInterval = TimeSpan.FromSeconds(10); });
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best regards,
Dillion