c# – What is the purpose of ConcurrencyStamp and SecurityStamp in ASP.NET Identity?


The summary of both properties on the IdentityUser entity is in English:

ConcurrencyStamp: A random value that must change whenever a user is persisted to the store.

Translating would be something like this:

A random value that must change whenever a user is persistent in the repository.

SecurityStamp: A random value that must change whenever a users credentials change (password changed, login removed).

Translating would be something like this:

A random value that should change whenever there are changes to the user's credentials (Password changed, login removed).

I'm using Dapper instead of EF with Identity and ConcurrencyStamp never updates so I thought I'd better understand their purpose.

ConcurrencyStamp I was very confused, and the SecurityStamp summary managed to describe it well. However I was super confused when I came across this answer on SOen .

And what I believed to be a function of SecurityStamp is apparently a function of ConcurrencyStamp .

  • What are the purposes of these table properties/columns?
  • Do I need to do something so that, for example, ConcurrencyStamp performs its function correctly with Dapper? It seemed necessary to me after seeing this answer using EF .


ConcurrencyStamp represents the current state of data in the repository and is needed to avoid concurrency issues. Example:

  • An admin opens a user's record to edit their email address
  • Another admin also opens the same user record for the same thing
  • The first admin updates the email and saves
  • When the second admin saves, the ConcurrecyStamp will be different (because the data it had loaded has already been changed) and thus throwing an exception.

SecurityStamp does the same thing but with the information related to the user's credentials. If it logs out or changes the password, SecurityStamp changes, invalidating old cookies and other possible security issues.

About the dapper, apparently do not need to do anything. In the answer you mentioned, it just shows the implementation of IdentityDbContext to "prove" the above explanation.

Scroll to Top