Populating SecurityStamp for legacy users in database in ASP.NET Identity

Question

I have a legacy database that I am using with ASP.NET Identity. In order to use the Identity functions a SecurityStamp value is required in the database for each user.

Some have mentioned in other questions relating to this that the value can be 'any random value, EG a random int' but that doesn't sound right to me!?

I created a new user in the database using this code:

IdentityResult result = await UserManager.CreateAsync(user, model.Password);

and it populated it with the following value: cea9a659-e965-4e76-8203-ed1c79491fa7

That seems like a more 'secure' value to me than a random int, especially when it's called the SecurityStamp, it seems like it should be populated in the same manner for all users in my database.

How can I populate the SecurityStamp values for my Users database, properly?

Answer 1

So the security stamp can be any string you like, its just used to as a comparison point, so you are free to seed all of these to whatever value you want initially (even a constant empty string would work fine), by default the UserManger will generate a new guid for the stamp automatically during these methods:

Create
RemovePassword
ChangePassword
AddPassword
RemoveLogin
SetEmail
SetPhoneNumber
ChangePhoneNumber
SetTwoFactorEnabled

And you can always call UpdateSecurityStamp directly.

Finally if you are using the Identity.EF implementation, you can always just directly set the field as well:

user.SecurityStamp = generateAString();
await userManager.UpdateAsyc(user);

Answer 2

Security Stamp by default is GUID and I have not seen any way to modify it. So you if you want to populate that value for all existing users just run sql:

update AspNetUsers
set SecurityStamp = NEWID()
where SecurityStamp is null