User session removed on failed login

SystemElectric · September 24, 2024, 1:22pm

Hello,
with the standard credential validation there is the possibility to avoid the current session removing when a failed login occours?

The current behavior is this:

User A login successfully
User A session created
User B try to login with wrong credentials.
User A session removed

The desidered behavior is to keep the User A session also if a failed login occours.

Thank you.

mythz · September 24, 2024, 2:22pm

You can prevent it from generating new session cookies on Authentication with:

Plugins.Add(new AuthFeature(...) {
    GenerateNewSessionCookiesOnAuthentication = false
});

SystemElectric · September 24, 2024, 3:56pm

It works but only if the user i the same. Can I have the same behavior also if i try to login with a different username?

mythz · September 24, 2024, 5:33pm

You could try overriding ResetSessionBeforeLoginAsync() in a custom CredentialsAuthProvider and not remove the session:

github.com

ServiceStack/ServiceStack/blob/main/ServiceStack/src/ServiceStack/Auth/CredentialsAuthProvider.cs#L129


      
              if (SkipPasswordVerificationForInProcessRequests && authService.Request.IsInProcessRequest())
              {
                  await new PrivateAuthValidator().ValidateAndThrowAsync(request, cancellationToken: token);
                  return await AuthenticatePrivateRequestAsync(authService, session, request.UserName, request.Password, authService.Request.GetReturnUrl(), token).ConfigAwait();
              }
                  
              await new CredentialsAuthValidator().ValidateAndThrowAsync(request, cancellationToken: token);
              return await AuthenticateAsync(authService, session, request.UserName, request.Password, authService.Request.GetReturnUrl(), token).ConfigAwait();
          }
          
          protected virtual async Task<IAuthSession> ResetSessionBeforeLoginAsync(IServiceBase authService, IAuthSession session, string userName, CancellationToken token=default)
          {
              if (!LoginMatchesSession(session, userName))
              {
                  await authService.RemoveSessionAsync(token).ConfigAwait();
                  return await authService.GetSessionAsync(token: token).ConfigAwait();
              }
              return session;
          }
              
          protected async Task<object> AuthenticateAsync(IServiceBase authService, IAuthSession session, string userName, string password, string referrerUrl, CancellationToken token=default)

Although there are a number of places where sessions are removed, so it may not prevent the default behavior.

SystemElectric · September 25, 2024, 10:10am

I tried, but the session have been removed before calling the method ResetSessionBeforeLoginAsync

mythz · September 25, 2024, 10:41am

Yeah RemoveSessionAsync is called a number of times after an invalid attempt, e.g. in AuthProvider.cs.

Not really an easier way to workaround it other than using local modified copies of AuthProvider and CredentialsAuthProvider and removing the times that it’s called.

SystemElectric · September 25, 2024, 1:33pm

I resolved usign both your suggestions. Below the implementation.

Thank you

Plugins.Add(new AuthFeature(...) {
    GenerateNewSessionCookiesOnAuthentication = false
});

protected override async Task<IAuthSession> ResetSessionBeforeLoginAsync(IServiceBase authService, IAuthSession session, string userName, CancellationToken token = default)
{
    if (!LoginMatchesSession(session, userName))
    {
        //await authService.RemoveSessionAsync(token).ConfigAwait();
        return await authService.GetSessionAsync(token: token).ConfigAwait();
    }
    return session;
}