ASP.NET Identity Email Confirmation Token

ASP.NET Identity has an Email Confirmation feature that you can (and should) enable. It will send an email with a token based Url to a registered user to simply confirm their email to allow them access into a web application. That token gets generated & stored in memory and therefore may be lost if the user does not confirm their account promptly.


Code Settings

Depending on the version of ASP.NET Identity the default TokenLifespan setting varies but the most recent version is supposed to be 24 hours but an earlier version had it set to as low as 3 minutes. Below is an example of how to set it directly within the Account controller to a 12 hour duration, you could inject the dataProtectorProvider via an IoC container then pass it to the constructor or just within the default Startup.cs.


public AccountController(IdentityUserManager userManager)
{
   var dataProtectorProvider = Startup.DataProtectionProvider;
   var dataProtector = dataProtectorProvider.Create("MyApp");
   userManager.UserTokenProvider = new DataProtectorTokenProvider<IdentityUser>(dataProtector)
   {
      TokenLifespan = TimeSpan.FromHours(12),
   };
}


IIS Settings

After making the code changes you also need to tweak your web application's IIS settings.

Go to your web application's IIS Advanced Settings and go to Recycling Conditions under Application Pool Recycling Settings. The default setting is a Regular time interval of  1740  minutes (29 hours). 



The problem with that is it can happen at any time during the day, it's not a fixed time. When the application pool recycles then everything in memory is lost including the email token in ASP.NET Identity e.g. a user registers at 10AM, the 29 hours expire at 10:30AM or 11AM and they try to confirm their email after that but they can't do that anymore.

So setting it to a Specific time such as  4:00 AM  seems to be a better solution as shown below.  



Also a good idea is to audit Application Pool events in more detail at least temporarily to ensure all is behaving as expected.



Happy Holidays!

[original publish date: 12/20/16]

Comments

Popular posts from this blog

ASP.NET Identity Remember Me

IIS Express Client Certificates

ASP.NET MVC - How to enable/disable CaC/Client Certificate authentication per area or route.