How to create SecurityStamp for AspNetUser in ASP .NET MVC 5
Solution 1
The security stamp can be anything you want. It is often mistaken to be a timestamp, but it is not. It will be overriden by ASP.NET Identity if something changes on the user entity. If you're working on the context directly the best way would to generate a new Guid and use it as the stamp. Here's a simple example:
var users = new List<ApplicationUser>
{
new ApplicationUser
{
PasswordHash = hasher.HashPassword("TestPass44!"),
Email = "[email protected]",
UserName = "[email protected]",
SecurityStamp = Guid.NewGuid().ToString()
},
new ApplicationUser
{
PasswordHash = hasher.HashPassword("TestPass44!"),
Email = "[email protected]",
UserName = "[email protected]",
SecurityStamp = Guid.NewGuid().ToString()
}
};
Solution 2
If we look inside IdentityUser
table AspNetUsers
data, we'll see that SecurityStamp
has a different form than a normal GUID
:
This is because the GUID
is converted to a HEX map string.
We can create a function to generate new Security Stamps, that it will generate a new GUID
and convert it to a HEX map string:
Func<string> GenerateSecurityStamp = delegate()
{
var guid = Guid.NewGuid();
return String.Concat(Array.ConvertAll(guid.ToByteArray(), b => b.ToString("X2")));
};
You can check it running to this .NET Fiddle.
So, if we want to seed Identity Users, we can use it to generate the SecurityStamp
:
modelBuilder.Entity<IdentityUser>().HasData(new ApplicationUser
{
...
// Security stamp is a GUID bytes to HEX string
SecurityStamp = GenerateSecurityStamp(),
});
Warning: Be very careful and don't use the above example for seeding, because it will change the data every time we create a new migration. Seeding data should always be pre-generated when using HasData
and not dynamic inline generated.
Related videos on Youtube
Yoda
If you have a question about Bonjour in .NET and AXIS SDK I am the guy. I HATE telerik.
Updated on May 27, 2020Comments
-
Yoda almost 4 years
When I create user by Register action whe application is running the application user gets SecurityStamp. When I add user by:
if (!context.Users.Any()) { System.Diagnostics.Debug.WriteLine("INSIDE"); var hasher = new PasswordHasher(); try { var users = new List<ApplicationUser> { new ApplicationUser{PasswordHash = hasher.HashPassword("TestPass44!"), Email = "[email protected]", UserName = "[email protected]"}, new ApplicationUser{PasswordHash = hasher.HashPassword("TestPass44!"), Email = "[email protected]", UserName = "[email protected]"} }; users.ForEach(user => context.Users.AddOrUpdate(user)); context.SaveChanges(); } catch (DbEntityValidationException e) { System.Diagnostics.Debug.WriteLine("EXC: "); foreach (DbEntityValidationResult result in e.EntityValidationErrors) { foreach (DbValidationError error in result.ValidationErrors) { System.Diagnostics.Debug.WriteLine(error.ErrorMessage); } } } }
user doesn't get security stamp:
and then when I want to login I get:
Question: How to generate
SecurityStamp
for user?-
Moe Bataineh over 9 yearsWhy don't you use
UserManager.CreateAsync();
instead? -
Yoda over 9 years@MohamadBataineh UserManager didn't work for me. Maybe I have done mistake somewhere: here is the topic --> stackoverflow.com/questions/25354751/…
-
-
Yoda over 9 yearsIt worked do you know why I couldn't login without this SequirtyStamp set?
-
Horizon_Net over 9 years@Yoda I had the same problem some time ago, but I can only guess. I think that this property will be checked by the framework during the login process to make sure your database wasn't corrupted (or something like this). According to this post it is used to invalidate cookies.
-
CowboyBebop over 8 yearsThe security stamp is used to invalidate a users login cookie and force them to re-login. stackoverflow.com/a/19505060/749626
-
Savage about 8 yearsIf it's null, your password reset may not work - "Invalid token." error