From 7a795da349cfb05a552cd2f3e01d43dbc035cccc Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Wed, 1 Jun 2016 12:08:03 -0700 Subject: [PATCH] AutomaticAuthenticate = false for non ApplicationCookies --- src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs | 6 ++++-- src/Microsoft.AspNetCore.Identity/SignInManager.cs | 2 ++ .../IdentityOptionsTest.cs | 5 +++++ .../Microsoft.AspNetCore.Identity.Test/SignInManagerTest.cs | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs b/src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs index 037062b1bb..fc78fcf301 100644 --- a/src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs +++ b/src/Microsoft.AspNetCore.Identity/IdentityCookieOptions.cs @@ -36,6 +36,7 @@ namespace Microsoft.AspNetCore.Identity ExternalCookie = new CookieAuthenticationOptions { + AutomaticAuthenticate = false, AuthenticationScheme = DefaultExternalScheme, CookieName = DefaultExternalScheme, ExpireTimeSpan = TimeSpan.FromMinutes(5) @@ -43,17 +44,18 @@ namespace Microsoft.AspNetCore.Identity TwoFactorRememberMeCookie = new CookieAuthenticationOptions { + AutomaticAuthenticate = false, AuthenticationScheme = DefaultTwoFactorRememberMeScheme, CookieName = DefaultTwoFactorRememberMeScheme }; TwoFactorUserIdCookie = new CookieAuthenticationOptions { + AutomaticAuthenticate = false, AuthenticationScheme = DefaultTwoFactorUserIdScheme, CookieName = DefaultTwoFactorUserIdScheme, ExpireTimeSpan = TimeSpan.FromMinutes(5) - }; - + }; } public CookieAuthenticationOptions ApplicationCookie { get; set; } diff --git a/src/Microsoft.AspNetCore.Identity/SignInManager.cs b/src/Microsoft.AspNetCore.Identity/SignInManager.cs index fbb7d2819a..d317b62cda 100644 --- a/src/Microsoft.AspNetCore.Identity/SignInManager.cs +++ b/src/Microsoft.AspNetCore.Identity/SignInManager.cs @@ -365,6 +365,8 @@ namespace Microsoft.AspNetCore.Identity { await Context.Authentication.SignOutAsync(Options.Cookies.ExternalCookieAuthenticationScheme); } + // Cleanup two factor user id cookie + await Context.Authentication.SignOutAsync(Options.Cookies.TwoFactorUserIdCookieAuthenticationScheme); if (rememberClient) { await RememberTwoFactorClientAsync(user); diff --git a/test/Microsoft.AspNetCore.Identity.Test/IdentityOptionsTest.cs b/test/Microsoft.AspNetCore.Identity.Test/IdentityOptionsTest.cs index 406215e889..759f7ce8da 100644 --- a/test/Microsoft.AspNetCore.Identity.Test/IdentityOptionsTest.cs +++ b/test/Microsoft.AspNetCore.Identity.Test/IdentityOptionsTest.cs @@ -35,6 +35,11 @@ namespace Microsoft.AspNetCore.Identity.Test Assert.Equal(ClaimTypes.Name, options.ClaimsIdentity.UserNameClaimType); Assert.Equal(ClaimTypes.NameIdentifier, options.ClaimsIdentity.UserIdClaimType); Assert.Equal("AspNet.Identity.SecurityStamp", options.ClaimsIdentity.SecurityStampClaimType); + + Assert.True(options.Cookies.ApplicationCookie.AutomaticAuthenticate); + Assert.False(options.Cookies.ExternalCookie.AutomaticAuthenticate); + Assert.False(options.Cookies.TwoFactorRememberMeCookie.AutomaticAuthenticate); + Assert.False(options.Cookies.TwoFactorUserIdCookie.AutomaticAuthenticate); } [Fact] diff --git a/test/Microsoft.AspNetCore.Identity.Test/SignInManagerTest.cs b/test/Microsoft.AspNetCore.Identity.Test/SignInManagerTest.cs index dbf5f552b6..9fe4297e16 100644 --- a/test/Microsoft.AspNetCore.Identity.Test/SignInManagerTest.cs +++ b/test/Microsoft.AspNetCore.Identity.Test/SignInManagerTest.cs @@ -407,6 +407,7 @@ namespace Microsoft.AspNetCore.Identity.Test // REVIEW: restore ability to test is persistent //It.Is(v => v.IsPersistent == isPersistent))).Verifiable(); auth.Setup(a => a.SignOutAsync(helper.Options.Cookies.ExternalCookieAuthenticationScheme)).Returns(Task.FromResult(0)).Verifiable(); + auth.Setup(a => a.SignOutAsync(helper.Options.Cookies.TwoFactorUserIdCookieAuthenticationScheme)).Returns(Task.FromResult(0)).Verifiable(); } else {