Microsoft.AspNet.Identity V2.2:当用户禁用 2FA(之前已启用)时,用户的 cookie.AspNet.TwoFactorRememberBrowser仍然存在,并且在适当的情况下可能会带来安全风险。我正在寻找一种干净且适当的方法来删除该用户的 cookie,或者我应该只是将过期日期更改为过去的日期 - 如果是这样,我将如何做到这一点?我用谷歌搜索了一堆都无济于事,好像没有人意识到 cookie 仍然存在。
1 回答
0
因此,在没有更好的方法的情况下,看起来这可以解决 Async Function /Manage/DisableTwoFactorAuthentication的问题。请注意,isPersistent = True删除 cookie,而isPersistent = False只是将过期日期设置回来。
' POST: /Manage/DisableTwoFactorAuthentication
<HttpPost>
<ValidateAntiForgeryToken>
Public Async Function DisableTwoFactorAuthentication() As Task(Of ActionResult)
Await UserManager.SetTwoFactorEnabledAsync(User.Identity.GetUserId(), False)
Dim userInfo = Await UserManager.FindByIdAsync(User.Identity.GetUserId())
If userInfo IsNot Nothing Then
Await SignInManager.SignInAsync(userInfo, isPersistent:=False, rememberBrowser:=False)
Dim rememberBrowserIdentity = AuthenticationManager.CreateTwoFactorRememberBrowserIdentity(userInfo.Id)
AuthenticationManager.SignIn(New AuthenticationProperties With {
.IsPersistent = True, 'False still leaves old cookie but with expired date
.ExpiresUtc = Date.UtcNow.AddDays(-1)
}, rememberBrowserIdentity)
End If
Return RedirectToAction("Index", "Manage")
End Function
希望这对某人有帮助!:-)
于 2019-01-07T21:02:07.037 回答