2

In MVC 5 project i m using Microsoft.AspNet.Identity. I want authorize to user with cookie and session. I record sessions on redis. 

 <sessionState mode="Custom" customProvider="MySessionStateStore"> <providers> <add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider" host="192.168.13.197" port = "6379" accessKey = "" ssl = "false" throwOnError = "true" retryTimeoutInMilliseconds = "5000" databaseId = "0" applicationName = "IddaaWebSite" connectionTimeoutInMilliseconds = "5000" operationTimeoutInMilliseconds = "1000"/> </providers> </sessionState>

New Session object must create when user login.

public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { if (ModelState.IsValid) { var user = await UserManager.FindAsync(model.UserName, model.Password); if (user != null) { if (user.EmailConfirmed == false) return View("_ActivationCodeManuel", user); await SignInAsync(user, model.RememberMe); var uSo = JsonConvert.SerializeObject(user); Session.Add(user.Id, uSo); return RedirectToLocal(returnUrl); } ModelState.AddModelError("", "E-posta adresinizi ya da şifrenizi hatalı girdiniz."); } // If we got this far, something failed, redisplay form return View(model); }

And if session expried on redis, it should link to login page or if user start a new session on another computer the current should expried. But now it is working with only cookie.

 [Authorize] public ActionResult Index() { var id = User.Identity.GetUserId(); return View(); }

I think i need to ovveride Authorize method. it should check cookie and session on redis ?

Improve this question

1 Answer 1

Reset to default
1

Identity framework does not rely on session to store any authentication data, so you'll have to implement that yourself.

I think the best place for cookie invalidation tied to Redis session would be OnValidateIdentity event . It is available in Startup.Auth.cs and looks like this (default template):

public partial class Startup { public void ConfigureAuth(IAppBuilder app) { // Enable the application to use a cookie to store information for the signed in user // and to use a cookie to temporarily store information about a user logging in with a third party login provider // Configure the sign in cookie app.UseCookieAuthentication(new CookieAuthenticationOptions { // other stuff Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)) } }); // other stuff

You can implement your own version of SecurityStampValidator.OnValidateIdentity to check for session state.

I've messed about with this event for other purposes, here is the sample of my code - just a sample of how you can implement your own logic there.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.