ASP.Net Identity ASPNET.ApplicationCookie 在我检查时看起来不同

Question

我一直试图找到一个明确的答案，说明为什么我会看到这种行为。我正在使用 Microsoft ASP.NET Identity 模板项目来查看 Identity、OWIN 等的工作原理。我注意到每次我提出请求(转到“联系”、“管理”等)。我的 AspNet.ApplicationCookie 具有不同的加密字符串(在 Chrome 或 IE 上使用开发人员工具时)。起初我认为这可能是因为我没有为用户提出任何声明，但我尝试添加一些声明，但仍然看到相同的行为。有没有人看到/知道为什么？是不是因为 OWIN 中间件加密 cookie 的方式导致加密的 cookie 发生了变化？任何帮助是极大的赞赏。

我读了 https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
和
http://tech.trailmax.info/2014/08/aspnet-identity-cookie-format/

但两者都没有真正弄清楚为什么我可能会看到我所看到的行为。再次感谢大家。

更新:
这是我的 startup.Auth.cs

 public void ConfigureAuth(IAppBuilder app)
    {

        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {

            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            LogoutPath = new PathString("/Account/LogOff"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(0),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            },
        });            
        //app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // these two lines of code are needed if you are using any of the external authentication middleware
        app.Properties["Microsoft.Owin.Security.Constants.DefaultSignInAsAuthenticationType"] = "ExternalCookie";
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "ExternalCookie",
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
        });

        // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
        app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

        // Enables the application to remember the second login verification factor such as phone or email.
        // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
        // This is similar to the RememberMe option when you log in.
        app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
}

Answer 1

您的问题符合validateInterval: TimeSpan.FromMinutes(0),在这里，您实际上是说“在每个请求上重新生成 cookie”——这是为了在更改安全标记时使全局 cookie 失效。

套装validateInterval需要几分钟 - 您不会在每个请求中都使 cookie 失效，只会在您设置的每分钟内失效。