This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 50%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I am doing app with login with ticket store. Problem is that I wish to obtain new key to be in cookie
each time it is used. So I wish new key after each use. I tried to log out and log in controller to get new key but it fails to work. It gives me same key. How to get different value for ticket in cookie each time it is used?
The code for MemoryTicketStore
using Microsoft.Extensions.Caching.Memory;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication;
public class MemoryCacheTicketStore : ITicketStore
{
private IMemoryCache _cache;
public MemoryCacheTicketStore()
{
_cache = new MemoryCache(new MemoryCacheOptions());
}
public async Task ClearAll()
{
_cache.Dispose();
_cache = new MemoryCache(new MemoryCacheOptions());
}
public async Task StoreAsync(AuthenticationTicket ticket)
{
var guid = Guid.NewGuid();
var key = DateTime.Now + guid.ToString();
await RenewAsync(key, ticket);
return key;
}
public Task RenewAsync(string key, AuthenticationTicket ticket)
{
var options = new MemoryCacheEntryOptions();
var expiresUtc = ticket.Properties.ExpiresUtc;
if (expiresUtc.HasValue)
{
options.SetAbsoluteExpiration(expiresUtc.Value);
}
options.SetSlidingExpiration(TimeSpan.FromDays(100*356));//on server
_cache.Set(key, ticket, options);
return Task.FromResult(0);
}
public Task RetrieveAsync(string key)
{
AuthenticationTicket ticket;
_cache.TryGetValue(key, out ticket);
return Task.FromResult(ticket);
}
public Task RemoveAsync(string key)
{
_cache.Remove(key);
return Task.FromResult(0);
}
}
The code for program.cs is
builder.Services.AddDbContext(options => options.UseMySql(connectionString, ServerVersion.AutoDetect(connectionString)));
builder.Services.AddIdentity()
.AddEntityFrameworkStores();
MemoryCacheTicketStore memoryCacheTicketStore = new MemoryCacheTicketStore();
builder.Services.AddSingleton(memoryCacheTicketStore);
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
builder.Services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(356*100);//on server
options.SlidingExpiration = true;
options.SessionStore = memoryCacheTicketStore;
options.Cookie.Name = "identity_token";
});
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @jacek.sniadecki2022,
Could you please share your login in and log out codes and then let us reproduce the issue to see what happened.
Thanks.
here is middleware to modify BUT it is sealed class so I do not know how to modify it? how much would I pay for that to be done and who will I pay? think of ticket is easily stolen so then every use the key is changed so it is virtually impossible to steal ticket because on new connection stolen ticket is invalid and I have to login again to see that someone else is using old key. all used keys are visible in ticket store
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
a ticketstore is used to store the cookie authentication values outside the cookie so the cookie only has the key. the store can not change the cookie's key. you would need to change the cookie middleware to change the key on every request. to do this you will need to implement some solution to handle concurrent requests, as the server does not know the completion order.
how much would it cost me to have new ticket key in cookie every time it is used? who would i pay for that?
you could write middleware to change the cookie. The issue is concurrent requests (very common). the server does not know which request finishes last in the browser as it may not match the servers order.
request1 (token1) -> server updates cookie to token2
request2 (token1) -> server updates cookie to token3
request3 (token1) -> server updates cookie to token4
... delay
request4 will be token 2, 3 or 4 depend on which request the browser processed last.
you might think that serializing the server request server would work, but it will not with fast requests. they are all async to the browser, and it controls the response processing. the new http protocol makes this even more complex as it multiplexes requests on the same connection.
one approach is to not authenticate any static content only the page (and no frames). no javascript can be used until page load event. no concurrent javascript allowed. every javascript request must check that any pending request has completed. you should probably build a singleton object with a queue to implement this. sort of a deferred fifo queue.
obviously opening the site in two tabs may cause issues.
who would do that?who will I pay?
see here question in stackoverflow
the problem is that cryptography methods are in sealed class so I do not know how to implement cryptography so that the ticket store (asp) would understand cookie content (ticket)
Just use another cookie value to hold your new unique changing id, store the pair in storage and check with validate authorization event.
note: you are using a memory store that is lost on recycle so it will never last as long as your login cookie.