Looking at ASP.NET Identity (new membership implementation in ASP.NET), I came across this interface when implementing my own UserStore:
//Microsoft.AspNet.Identity.Core.dll
namespace Microsoft.AspNet.Identity
{
public interface IUserSecurityStampStore<TUser> :
{
// Methods
Task<string> GetSecurityStampAsync(TUser user);
Task SetSecurityStampAsync(TUser user, string stamp);
}
}
IUserSecurityStampStore is implemented by the default EntityFramework.UserStore<TUser> which essentially get and set the TUser.SecurityStamp property.
After some more digging, it appears that a SecurityStamp is a Guid that is newly generated at key points in the UserManager (for example, changing passwords).
I can’t really decipher much beyond this since I’m examining this code in Reflector. Almost all the symbol and async information has been optimized out.
Also, Google hasn’t been much help.
Questions are:
- What is a
SecurityStampin ASP.NET Identity and what is it used for? - Does the
SecurityStampplay any role when authentication cookies are created? - Are there any security ramifications or precautions that need to be taken with this? For example, don’t send this value downstream to clients?
Update (9/16/2014)
Source code available here:
- https://github.com/aspnet/Identity/
- https://github.com/aspnet/Security/
