Asp.net Identity How Authentication Cookie getting validated?

Question

net Identity in my MVC 5 application and it works well. But few things i am not clear in Asp.net identity system.

1. How Authentication token (cookie) is getting validated at Server?
2. If the user uses old Authentication cookie (i.e User may got this by previous login) how Asp.net will detect this?

Answer 1

1.How Authentication token (cookie) is getting validated?
Ans: You can find the Startup.Auth.cs file in App_Start Folder where this logic is implemented:

   app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });           

app.UseCookieAuthenticatin enables your application to use cookieAuthention and validate the cookies too , you can also create your own logic to validate your cookie .

2. If the user uses old Authentication cookie (i.e User may got this by previous login) how Asp.net will detect this?
   Ans: It ignores the cookie which are expired and You can define the the expiration time of your cookie in CookieAuthenticationOptions using the below code:

   ExpireTimeSpan = TimeSpan.FromHours(1),