Auditing Logins and every subsequent request?

Oct 12, 2014 at 9:14 PM
We're looking at ASP.NET Identity 2.x to determine if it is suitable for an upcoming project.

There are a set of requirements we have to comply with, that would be too big a post, so I'll try to break them down to small parts.

First of all...Auditing. ASP.NET Identity 2.0 appears to have zero auditing tables or even hooks built in. one of the relevant requirements we have to comply with are:
  • audit every operation.
  • the ability to end a session immediately if suspicious activity is observed.
Q: I'd like confirmation that the best practice place to put some logging, updating a Session record's LastActivityDateUtc would be within the defined CookieAuthenticationProvider's.OnValidateIdentity callback as it happens for every request, when it's deserializing the cookie?

Q: But is that the right place to terminate a user? For example, If it checks a Session table/and or User table, and sees that the User has been locked out, how does one terminate gracefully? Does one return an unauthenticated user? or invoke SignOut? or some other method?

Q: As for creating the Session record, and filling in the Session.StartedDateUtc, would the most appropriate way be within OnResponseSignIn, or to override the ApplicationSIgnInManager's?
    public override async Task<SignInStatus> PasswordSignInAsync(string userName, string password, bool isPersistent, bool shouldLockout)
        var r = await base.PasswordSignInAsync(userName, password, isPersistent, shouldLockout);
        if (r == SignInStatus.Success)
            //record client IP, etc. and start a session Record...
            Guid sessionId = _sessionService.Start(userName);
            //Now what? Embed the sessionId in...hum...where?
        return r;
Thank you for your time,