What is the purpose of ConcurrencyStamp and SecurityStamp in ASP.NET Identity?

1

The summary of both properties in the entity IdentityUser are in English:

ConcurrencyStamp: A random value that should change whenever the user is persisted to the store.

Translating would be something more or less like this:

  

A random value that should change whenever a user persists in the repository.

SecurityStamp: A random value that should change whenever users credentials change.

Translating would be something more or less like this:

  

A random value that should change whenever there are changes in user credentials (Password changed, login removed).

I'm using Dapper instead of EF with Identity and ConcurrencyStamp never updates, so I thought it would be better to understand the purpose of them.

ConcurrencyStamp I was pretty confused, and already the SecurityStamp Digest was able to describe it well. But I was super confused when I came across this answer in SOen .

And what I believed to be a SecurityStamp function is apparently a function of ConcurrencyStamp .

  • What are the purpose of these table properties / columns?
  • Do I need to do something so that, for example, ConcurrencyStamp performs its function correctly with Dapper? I thought it was necessary after seeing this response using EF .
asked by anonymous 13.05.2018 / 07:14

1 answer

1

ConcurrencyStamp represents the current state of the data in the repository and it is required to avoid concurrency problems. Example:

  • An admin opens a user's registry to edit their email address
  • Another admin also opens the same user registry for the same thing
  • The first admin updates the email and saves it
  • When the second admin is saved, ConcurrecyStamp will be different (because the data it has loaded has already been changed) and thus throwing an exception.

SecurityStamp does the same thing but with information related to the user's credentials. If it displaces or changes the password SecurityStamp changes, invalidating old cookies and other possible security issues.

On the dapper, apparently you do not have to do anything. In the response you mentioned, it just shows the IdentityDbContext implementation to "prove" the above explanation.

    
04.06.2018 / 04:40