Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why sign in following Change Password in ASP.Net Core 2 MVC

Tags:

c#

authentication

asp.net

asp.net-mvc

asp.net-core

The default project template in Visual Studio 2017 contains a function in the ManageController for the logged in User to change their password.

Following a successfull password change the user is then automatically signed in again

await _signInManager.SignInAsync(user, isPersistent: false);

What is the purpose of this sign in?

The full action method is below:

[HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> ChangePassword(ChangePasswordViewModel model)
    {
        if (!ModelState.IsValid)
        {
            return View(model);
        }

        var user = await _userManager.GetUserAsync(User);
        if (user == null)
        {
            throw new ApplicationException($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
        }

        var changePasswordResult = await _userManager.ChangePasswordAsync(user, model.OldPassword, model.NewPassword);
        if (!changePasswordResult.Succeeded)
        {
            AddErrors(changePasswordResult);
            return View(model);
        }

        await _signInManager.SignInAsync(user, isPersistent: false);
        _logger.LogInformation("User changed their password successfully.");
        StatusMessage = "Your password has been changed.";

        return RedirectToAction(nameof(ChangePassword));
    }
like image 631
Fran Hoey Avatar asked Nov 28 '25 01:11

Fran Hoey

1 Answers

Inside of ChangePasswordAsync, there is a call to UpdatePasswordHash, which itself makes a call to UpdateSecurityStampInternal. The implementation of UpdateSecurityStampInternal is not important - what is important is that this (obviously) updates the SecurityStamp property of the user.

Looking into how SignInManager works, you'll see that SignInAsync ends up with a call to UserClaimsPrincipalFactory's CreateAsync method, which itself calls into GenerateClaimsAsync. Inside of this implementation, you'll see the following:

if (UserManager.SupportsUserSecurityStamp)
{
    id.AddClaim(new Claim(Options.ClaimsIdentity.SecurityStampClaimType,
        await UserManager.GetSecurityStampAsync(user)));
}

This means that after changing a password, the existing SecurityStampClaimType value will have changed. Reissuing a sign-in action ensures that a new ClaimsIdentity is created, which includes the new value of SecurityStamp.

This may not be the only reason for this sign-in action, but it does appear to be a reason.

like image 133
Kirk Larkin Avatar answered Nov 29 '25 16:11

Kirk Larkin
Sign in to Comment

Related questions

Struggling with how methods and classes interact
How to create a parser(lex/yacc)?
C# ListBox update on item change
How to converte Lambda expression output to List<T>
Problem when concatenating string and a resource value
Generate Bearer Token using Microsoft Graph
Removing the default c# console application template code in visual studio 2022
Unable to load type "FluentValidation.Attributes.ValidatorAttribute"
How to display list object to a view in ASP.Net MVC?
EntityFrameworkCore Key column auto increment from specific value
How do I display the data of the "current user"?
Adding Tags to MailChimp Member object
How to retrieve a url encoded form in F# Giraffe Web API?
How can i access IServiceCollection from a background thread
Get Type by Name
Performance and Concept questions in LINQ
How to build a dynamic array in C++ and return it back to C#/.NET
Disposing Samples c#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!