Authentication cookie is badly renewed when the security stamp has been validated #628
Description
The authentication cookie can be renewed in these two cases :
- the elapsed expiration time is more halfway expiration window
- the security stamp has been validated and a new identity is rebuilt
In the FinishResponseAsync method of the CookieAuthenticationHandler class (namepsace Microsoft.AspNet.Authentication.Cookies), a new ticket is built with optionally setting the properties IssuedUtc and ExpiresUtc.
When the sliding expiration is refreshed, the Issued and expires properties are well marked as to be updated (ReadCookieTicket method)
if (timeRemaining < timeElapsed)
{
_shouldRenew = true;
_renewIssuedUtc = currentUtc;
var timeSpan = expiresUtc.Value.Subtract(issuedUtc.Value);
_renewExpiresUtc = currentUtc.Add(timeSpan);
}
But when the stamp validator set a new identity and indicates that the cookie should be renew, the handler does not define that the Issued property should be refreshed. I think that the HandleAuthenticateAsync method should be fixed with the line added below
var context = new CookieValidatePrincipalContext(Context, ticket, Options);
await Options.Events.ValidatePrincipal(context);
if (context.Principal == null)
{
return AuthenticateResult.Failed("No principal.");
}
if (context.ShouldRenew)
{
_shouldRenew = true;
// Add this line ?
_renewIssuedUtc = Options.SystemClock.UtcNow;
}
The problem is actually that when the stamp was validated once, it will then be for each next request, requiring to query the database calling the FindByIdAsync method of the UserStore.