How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?

About

Asked 18/6, 2014 at 13:10 Answered 19/6, 2014 at 22:12

Solved c#asp.net asp.net-mvc-5 asp.net-identity-2

I've read this and while it explains how role changes will eventually propagate to the user cookie after some time interval, I still don't understand how I force an immediate change to user roles.

Do I really have to sign the user out when I change his roles as administrator? If so — how? If I use AuthenticationManager.SignOut(); then I sign off myself (admin), not the user, whose roles I want to change.

Currently I use await UserManager.UpdateSecurityStampAsync(user.Id); to generate a new security stamp, but it does not work. When I refresh a page in another browser while logged in as another user his claims (including security stamp) do not change.

Ineffectual answered 18/6, 2014 at 13:10 Comment(0)

If you want to enable immediate revocation of cookies, then every request must hit the database to validate the cookie. So the tradeoff between delay is with your database load. But you can always set the validationInterval to 0.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromSeconds(0),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

Donela answered 19/6, 2014 at 22:12 Comment(6)

Thank you, Hao. That's what I thought initially and it does indeed solve the problem, so I am accepting this as an answer. But is there no way to invalidate a cookie for a specific user? I mean, that's a pretty serious tradeoff to solve such a seemingly small task. – Ineffectual 20/6, 2014 at 7:6

Another thing is that with zero validation interval AuthenticationManager.SignOut(); ceases to work and user is being logged out only if I include await UserManager.UpdateSecurityStampAsync(userId);. Doesn't seem too right to me. – Ineffectual 20/6, 2014 at 8:18

Ah yes, so there is a bit of a weird interaction there, since SignOut is telling the app to clear the cookie, but regenerateIdentity tells OWIN to set a new sign in cookie. I believe this is a bug in Owin that will be fixed in a future version (SignOut should always win) – Donela 20/6, 2014 at 19:33

This is the same problem I am having, the user cannot log out as AuthenticationManager.SignOut() does not sign out with an zero validation interval. – Vend 18/2, 2015 at 4:31

@HaoKung I have this issue now - see https://mcmap.net/q/471887/-can-39-t-logoff-identity-mvc-5-sometimes - do you know a solution here? – Private 12/11, 2015 at 11:37

You can also use TimeSpan.Zero rather than parsing from seconds – Wound 3/12, 2018 at 14:40

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags