When is the Authentication cookie bound to the current authenticated user and How does the bind happen?












1















so I'm working on an asp.net web application and I'm having trouble figuring out:



1.) When is the Authentication cookie bound to the current authenticated user?



2.) How does the bind happen?



Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.



Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night



I'm using the default [ASP.NET Web Application(.NET Framework)] template,



Here is the configure sign in cookie,



app.UseCookieAuthentication(new CookieAuthenticationOptions  

{

    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

    LoginPath = new PathString("/Account/Login"),

    Provider = new CookieAuthenticationProvider

    {

        // Enables the application to validate the security stamp when the user logs in.

        // This is a security feature which is used when you change a password or add an external login to your account.

        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, 

        ApplicationUser>(

        validateInterval: TimeSpan.FromMinutes(1),

        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    },

    SlidingExpiration = false,

    ExpireTimeSpan = TimeSpan.FromMinutes(2)

});


And here is the Login post form which confirms and authenticates a user with no cookie reference



// POST: /Account/Login

[HttpPost]

[AllowAnonymous]

[ValidateAntiForgeryToken]

public async Task Login(LoginViewModel model, string returnUrl)

{

    if (!ModelState.IsValid)

    {

        return View(model);

    }

    // This doesn't count login failures towards account lockout

    // To enable password failures to trigger account lockout, change to shouldLockout: true

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    switch (result) {

    case SignInStatus.Success:

        return RedirectToLocal(returnUrl);

    case SignInStatus.LockedOut:

        return View("Lockout");

    case SignInStatus.RequiresVerification:

        return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });

    case SignInStatus.Failure:

    default:

        ModelState.AddModelError("", "Invalid login attempt.");

        return View(model);

    } 

}





asp.net asp.net-mvc asp.net-mvc-4 asp.net-web-api cookies







share|improve this question




















  • 1





    It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

    – Brian Mains
    Dec 29 '18 at 20:12











  • Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

    – Benson Gathee
    Dec 31 '18 at 6:08











  • The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

    – Brian Mains
    Jan 2 at 17:44
















1















so I'm working on an asp.net web application and I'm having trouble figuring out:



1.) When is the Authentication cookie bound to the current authenticated user?



2.) How does the bind happen?



Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.



Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night



I'm using the default [ASP.NET Web Application(.NET Framework)] template,



Here is the configure sign in cookie,



app.UseCookieAuthentication(new CookieAuthenticationOptions  

{

    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

    LoginPath = new PathString("/Account/Login"),

    Provider = new CookieAuthenticationProvider

    {

        // Enables the application to validate the security stamp when the user logs in.

        // This is a security feature which is used when you change a password or add an external login to your account.

        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, 

        ApplicationUser>(

        validateInterval: TimeSpan.FromMinutes(1),

        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    },

    SlidingExpiration = false,

    ExpireTimeSpan = TimeSpan.FromMinutes(2)

});


And here is the Login post form which confirms and authenticates a user with no cookie reference



// POST: /Account/Login

[HttpPost]

[AllowAnonymous]

[ValidateAntiForgeryToken]

public async Task Login(LoginViewModel model, string returnUrl)

{

    if (!ModelState.IsValid)

    {

        return View(model);

    }

    // This doesn't count login failures towards account lockout

    // To enable password failures to trigger account lockout, change to shouldLockout: true

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    switch (result) {

    case SignInStatus.Success:

        return RedirectToLocal(returnUrl);

    case SignInStatus.LockedOut:

        return View("Lockout");

    case SignInStatus.RequiresVerification:

        return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });

    case SignInStatus.Failure:

    default:

        ModelState.AddModelError("", "Invalid login attempt.");

        return View(model);

    } 

}





asp.net asp.net-mvc asp.net-mvc-4 asp.net-web-api cookies







share|improve this question




















  • 1





    It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

    – Brian Mains
    Dec 29 '18 at 20:12











  • Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

    – Benson Gathee
    Dec 31 '18 at 6:08











  • The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

    – Brian Mains
    Jan 2 at 17:44














1












1








1








so I'm working on an asp.net web application and I'm having trouble figuring out:



1.) When is the Authentication cookie bound to the current authenticated user?



2.) How does the bind happen?



Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.



Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night



I'm using the default [ASP.NET Web Application(.NET Framework)] template,



Here is the configure sign in cookie,



app.UseCookieAuthentication(new CookieAuthenticationOptions  

{

    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

    LoginPath = new PathString("/Account/Login"),

    Provider = new CookieAuthenticationProvider

    {

        // Enables the application to validate the security stamp when the user logs in.

        // This is a security feature which is used when you change a password or add an external login to your account.

        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, 

        ApplicationUser>(

        validateInterval: TimeSpan.FromMinutes(1),

        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    },

    SlidingExpiration = false,

    ExpireTimeSpan = TimeSpan.FromMinutes(2)

});


And here is the Login post form which confirms and authenticates a user with no cookie reference



// POST: /Account/Login

[HttpPost]

[AllowAnonymous]

[ValidateAntiForgeryToken]

public async Task Login(LoginViewModel model, string returnUrl)

{

    if (!ModelState.IsValid)

    {

        return View(model);

    }

    // This doesn't count login failures towards account lockout

    // To enable password failures to trigger account lockout, change to shouldLockout: true

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    switch (result) {

    case SignInStatus.Success:

        return RedirectToLocal(returnUrl);

    case SignInStatus.LockedOut:

        return View("Lockout");

    case SignInStatus.RequiresVerification:

        return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });

    case SignInStatus.Failure:

    default:

        ModelState.AddModelError("", "Invalid login attempt.");

        return View(model);

    } 

}





asp.net asp.net-mvc asp.net-mvc-4 asp.net-web-api cookies







share|improve this question
















so I'm working on an asp.net web application and I'm having trouble figuring out:



1.) When is the Authentication cookie bound to the current authenticated user?



2.) How does the bind happen?



Though it works, I find it weird that the (Login method), accessible via (// POST: /Account/Login) does not in anyway bind the Authenticated user to the Cookie after confirming that the user exists in the database.



Can anyone give a simple and easy to understand explanation why this is the case!!! Haven't found any good documentation yet after a sleepless night



I'm using the default [ASP.NET Web Application(.NET Framework)] template,



Here is the configure sign in cookie,



app.UseCookieAuthentication(new CookieAuthenticationOptions  

{

    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,

    LoginPath = new PathString("/Account/Login"),

    Provider = new CookieAuthenticationProvider

    {

        // Enables the application to validate the security stamp when the user logs in.

        // This is a security feature which is used when you change a password or add an external login to your account.

        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, 

        ApplicationUser>(

        validateInterval: TimeSpan.FromMinutes(1),

        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    },

    SlidingExpiration = false,

    ExpireTimeSpan = TimeSpan.FromMinutes(2)

});


And here is the Login post form which confirms and authenticates a user with no cookie reference



// POST: /Account/Login

[HttpPost]

[AllowAnonymous]

[ValidateAntiForgeryToken]

public async Task Login(LoginViewModel model, string returnUrl)

{

    if (!ModelState.IsValid)

    {

        return View(model);

    }

    // This doesn't count login failures towards account lockout

    // To enable password failures to trigger account lockout, change to shouldLockout: true

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);

    switch (result) {

    case SignInStatus.Success:

        return RedirectToLocal(returnUrl);

    case SignInStatus.LockedOut:

        return View("Lockout");

    case SignInStatus.RequiresVerification:

        return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });

    case SignInStatus.Failure:

    default:

        ModelState.AddModelError("", "Invalid login attempt.");

        return View(model);

    } 

}





asp.net asp.net-mvc asp.net-mvc-4 asp.net-web-api cookies




asp.net asp.net-mvc asp.net-mvc-4 asp.net-web-api cookies






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 29 '18 at 17:53









iElden

640317




640317










asked Dec 29 '18 at 15:22









Benson GatheeBenson Gathee

61




61








  • 1





    It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

    – Brian Mains
    Dec 29 '18 at 20:12











  • Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

    – Benson Gathee
    Dec 31 '18 at 6:08











  • The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

    – Brian Mains
    Jan 2 at 17:44














  • 1





    It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

    – Brian Mains
    Dec 29 '18 at 20:12











  • Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

    – Benson Gathee
    Dec 31 '18 at 6:08











  • The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

    – Brian Mains
    Jan 2 at 17:44








1




1





It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

– Brian Mains
Dec 29 '18 at 20:12





It doesn't explicitly do this but implicitly it does inside the framework - it uses the settings defined in UseCookieAuthentication to setup the auth cookie; the auth cookie isn't available for authentication until after logging in and redirecting away.

– Brian Mains
Dec 29 '18 at 20:12













Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

– Benson Gathee
Dec 31 '18 at 6:08





Hey would you kindly mind explaining this. What information does the cookie contain? how each request operations happens and how the server is able to validate the cookie on each request. Maybe sth like the asp.net cookie request authentication/authorization workflow. From the time a request is sent till the time the request is finished. Also, kindly post the code that does each operation like the one in the startup.auth.cs and what else it's rensponsible for other than issuing the cookie. Does it validate the cookie or sth with each request?

– Benson Gathee
Dec 31 '18 at 6:08













The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

– Brian Mains
Jan 2 at 17:44





The cookie contains the current user's user name and yes it validates on each request. This is all well documented from Microsoft so I would recommend reading up on the process for authenticating and authorizing users.

– Brian Mains
Jan 2 at 17:44












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53970802%2fwhen-is-the-authentication-cookie-bound-to-the-current-authenticated-user-and-ho%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53970802%2fwhen-is-the-authentication-cookie-bound-to-the-current-authenticated-user-and-ho%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Mossoró

Image
  Nota: Para outros significados, veja Mossoró (desambiguação). Município de Mossoró "Capital do Oeste Potiguar" [ 1 ] "Capital nacional do Semiárido" [ 2 ] [ 3 ] "Capital Cultural do Rio Grande do Norte" [ 1 ] "Terra de Santa Luzia" [ 4 ] "Terra do Sol, do Sal e do Petróleo" [ 5 ] "Terra da Liberdade [ 6 ] " Centro de Mossoró, com a Praça Vigário Antônio Joaquim e, ao fundo, a câmara municipal de vereadores (esquerda) e Catedral de Santa Luzia (direita) Bandeira Brasão Hino Fundação 15 de março de 1852 (166 anos) Gentílico mossoroense Padroeiro(a) Santa Luzia Prefeito(a) Rosalba Ciarlini Rosado (PP) (2017 – 2020 ) Localização Localização de Mossoró no Rio Grande do Norte Mossoró Localização de Mossoró no Brasil 05° 11' 16" S 37° 20' 38" O 05° 11' 16" S 37° 20' 38" O Unidade federativa Rio Grande do No...
Read more

Error while reading .h5 file using the rhdf5 package in R

Image
0 I'm importing a .h5 file into R by using the rhdf5 package. But a warning message showed and I found the DATE_TIME column of my data is NA when I view the imported file. Warning message: In H5Dread(h5dataset = h5dataset, h5spaceFile = h5spaceFile, h5spaceMem = h5spaceMem, : h5read for type 'TIME' not yet implemented. Values replaced by NA's. It's all normal when I use Vitables (Python) to open the .h5 file. But the DATE_TIME column is NA with HDFViewer open it. My code is: library(rhdf5) test <- h5read("mytestdata.h5", "/results") View(mydatatest) I want to use R to open .h5 file. Please give me some help! Thanks in advance! r hdf5 rhdf5 ...
Read more

Pushsharp Apns notification error: 'InvalidToken'

Image
1 1 I am currently working on automatic updates for Passbook (wallet) tickets and am experiencing some trouble using the Pushsharp library by Redth. I am using a Push notification certificate from the apple developer portal. I have tried to export my certificate as .p12, .pem and tried to use only the private key as .12 or .pem but nothing works. This is my full certificate (information is blanked out for security reasons): https://cdn.pbrd.co/images/HUJtb7b.png I dont have enough reputation to post images so a link is all i can provide. var succeeded = 0; var failed = 0; var attempted = 0; var config = new ApnsConfiguration(ApnsConfiguration.ApnsServerEnvironment.Sandbox, ConfigManager.CertPath + "PushCertificateV2.p12", ConfigManager.lvppass, fa...
Read more