What code in ASP.NET Identity sets the user's security stamp?

Question

A security stamp is a random value generated based on the user's user name and password.

Following a chain of method calls, I traced the security stamp's origin to the SecurityStamp property of the Microsoft.AspNet.Identity.EntityFramework.IdentityUser<TKey, TLogin, TRole, TClaim> class.

However, I am unable to find the code that sets this value. I found only one setter of this property and that is the EntityFramework layer that provides the core storage (IUserStore<..>, IRoleStore<...>, etc.).

// From Microsoft.AspNet.Identity.EntityFramework.UserStore<...>
public virtual Task SetSecurityStampAsync(TUser user, string stamp)
{
    this.ThrowIfDisposed();
    if (user == null)
    {
        throw new ArgumentNullException("user");
    }
    user.SecurityStamp = stamp;
    return Task.FromResult<int>(0);
}

However, I found no code that calls into the SetSecurityStampAsync method.

This would obviously be reset whenever the user's credentials are changed or when a new user is created.

What code sets this value?

score 4 · Answer 1 · answered Aug 10 '15 at 19:45

4

The Microsoft.AspNet.Identity.Core default UserManager uses this method a lot.

It calls it using the internal method UpdateSecurityStampInternal and the public method UpdateSecurityStampAsync.

The following methods call the internal method:

CreateAsync
RemovePasswordAsync
UpdatePassword
RemoveLoginAsync
SetEmailAsync
SetPhoneNumberAsync
ChangePhoneNumberAsync
SetTwoFactorEnabledAsync

You should be able to get the source code for user manager using symbolsource.

answered Aug 10 '15 at 19:45

Scott Brady

5,498
24
38

If it helps, .NET Core source code is here: https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/UserManager.cs#L792 – Ryan Dec 01 '16 at 11:51

What code in ASP.NET Identity sets the user's security stamp?

1 Answers1