Identity cookie loses custom claim information after a period of time

StackOverflow https://stackoverflow.com/questions/23622047

Question

I am storing custom claims, such as the user's real name, in the ASP.NET Identity cookie to avoid unnecessary database queries on every request. At least that's what I assume this code is doing:

var identity = await user.GenerateUserIdentityAsync(UserManager);
identity.AddClaim(new Claim(ClaimTypes.GivenName, user.FirstName)));
// etc.
AuthenticationManager.SignIn(new AuthenticationProperties {IsPersistent=true}, identity);

This works fine, and I can retrieve these claims with:

private static string GetClaim(string claimType)
{
  var identity = (ClaimsPrincipal) Thread.CurrentPrincipal;
  var claim = identity.Claims.SingleOrDefault(o => o.Type == claimType);
  return claim == null ? null : claim.Value;
}

The identity.Claims property contains the following claims, as expected:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: ced2d16c-cb6c-4af0-ad5a-09df14dc8207
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: me@example.com
http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider: ASP.NET Identity
AspNet.Identity.SecurityStamp: 284c648c-9cc7-4321-b0ce-8a347cd5bcbf
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: My Name

The trouble is that after some time (usually several hours), my custom claims seem to disappear - in this example, givenname no longer exists in the enumeration. The user is still authenticated, and all the default claims are still there.

What's going on, and how can I fix this? The only thing I can think of is that the cookie is expiring and being re-issued behind the scenes, but I don't know why (or if) that would happen.

Was it helpful?

Solution

Yes, the issue is most likely the cookie getting expired. Since you didn't add the custom claims to the user's claims in the database, they are lost on refresh since you aren't adding the claim inside the method being called. You can either add the claim via:

userManager.AddClaim(user.Id, new Claim(ClaimTypes.GivenName, user.FirstName));

or you can move this inside of the method that's called when the cookie is regenerated (by default its user.GenerateUserIdentityAsync).

        app.UseCookieAuthentication(new CookieAuthenticationOptions {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

OTHER TIPS

In Net5 you can get old cookie Custom Claim and add to new cookie like this,

builder.Services.Configure<SecurityStampValidatorOptions>(options =>
{
    // set time how oftern the cookie is invalidated
    options.ValidationInterval = TimeSpan.FromMinutes(10);

    options.OnRefreshingPrincipal = context =>
    {
        // Get my custom claim from old cookie
        var guidClaim = context.CurrentPrincipal.FindFirst("GUID");

        // Add value to new cookie
        if (guidClaim != null)
            context.NewPrincipal.Identities.First().AddClaim(guidClaim);

        return Task.FromResult(0);
    };
});
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top