即使删除用户，ASP.Net Identity Identity.IsAuthenticated仍然是正确的

Question

I have implemented ASP.Net Identity after following the sample code here: https://github.com/rustd/AspnetIdentitySample

In my implementation I check if a user is authenticated - this is called from a FilterAttribute on my MVC Controllers; the idea is i want to confirm they are still auth'ed before serving up the page.

So in my filter, the following code eventually gets called:

_authenticationManager.User.Identity.IsAuthenticated;

_authenticationManager is here:

private IAuthenticationManager _authenticationManager
{
    get
    {
        return _httpContext.GetOwinContext().Authentication;
    }
}

The _httpContext is passed into the constructor of my identityProvider class.

Now - once I have logged in, _authenticationManager.User.Identity.IsAuthenticated; returns true as expected.

However, during development, i dumped and re-seeded my database, without adding a user. So effectively, I have deleted the IdentityUser - yet _authenticationManager.User.Identity.IsAuthenticated; STILL returns true

any idea why this is? I can only assume it's somehow checking a cookie, rather than actually looking at the DB. is this correct?

Or have i messed up my implementation.....

Answer 1

This does not make IsAuthenticated a security hole. Let's look at the actual authentication process.

1. You setup some stuff in your web.config around where the login page is, how long the login is good for and whether or not to use sliding expiration (should the time be extended if the user is active on your site)

2. User comes to your site, enters their username and password.

3. That information is posted to your server. You take that information, verify that it is correct (authenticate). If it is correct, the server then issues an encrypted cookie known as the FormsAuthenticationTicket Note - this could have a different name in the new Identity stuff, but the same principle.

4. The cookie's contents includes items such as the user name and expiration date of the login.

5. On each request, the server looks at the cookie collection for the authentication cookie. If found, it decrypts it, reads the values and determines if this is still a valid cookie (expiration time). Once it has the user information from the cookie, the server can use this information to determine if the user is authorized for the resource requested (look up by username).

5a. If the cookie is not present, or has expired, then the user is redirected back to the login page.

6.When the user logs out, the cookie is deleted from the cookie collection. Now, if the user tries to go to a resource that is for authorized users only, then the server ends up at 5a above.

So, in your case, you deleted a user manually. This does not change the fact that this user has previously been authenticated with a still valid cookie. Therefore, IsAuthenticated is returning the expected value. The user has authenticated before you changed his user status. IsAuthenticated does not mean, is this user still valid in my database.

If you are going to be running a site where you are constantly deleting/deactivating users, then override the OnRequestAuthorization method of the AuthorizeAttribute to look and see if the user is actually still in the database. Also, note that if the username is not present (because you deleted it), then any look ups for role / userId will fail. You can catch that exception / failure and return the property unauthorized response.