3

I have 2 questions regarding the claims:

1) In .Net 4.5 and MVC 5 how does the microsoft implements the autorization, when you set on controller AuthorizeAttirubte, does it check the database to get the user role? Or it uses the claims?

I've read somewhere that microsoft uses database each time to verify the role, and they advised to write a new AuthorizeAttribute to implement claims authentication.

This is the article i'm talking about: http://kevin-junghans.blogspot.be/2013/10/improving-performance-of.html

Or is it outdated and now microsoft uses the roles in claims?

2) Second question regarding the update of claims:

Imagine when user logs in, I set his display name as a claim. The user has ability to change his display name, so he changes it, but he still sees his old display name, untill he reasigns in the webiste.

Would it be correct to somehow update the claim ....? And how to do it?

Alnedru
  • 2,573
  • 9
  • 50
  • 88

1 Answers1

4
  1. The authorize attribute is using things off the User.Identity like IsAuthenticated/IsUserInRole, which indirectly looks at claims. Database access is based on when the sign in cookie is refreshed as opposed to the authorize check, so its orthogonal.
  2. Claims are updated when the sign in cookie is generated (database hit). To force an update of the claims, you can just resign in the user which forces the update.
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • I didn't understand the first one, so basically AuthorizeAttribute on controllers do not hit everytime database? But checks the claims instead, that is what i understood. And second i just have to resign user, will it have any kind of impact on users session in general? – Alnedru Jan 28 '14 at 17:53
  • Correct Authorize checks the identity which is claims based by default, it doesn't hit the database. Depends on your app what happens when you resign in the user. – Hao Kung Jan 28 '14 at 17:55
  • nothing, when a user signs in i just put some claims and that is it ) so i suppose it has no effect, ok, ill do that then. Last question if you know, how to know if user is using persistent log in or not (remember me, option) – Alnedru Jan 28 '14 at 18:25
  • @HaoKung if for example I added a user to a user role. Without telling or forcing the user to sign out, how and when would you update that users claims? – Jeremy Cook Feb 05 '14 at 21:37
  • You can't, until the sign in cookie is regenerated from the database, the user would not have the claim associated with being in that new role. – Hao Kung Feb 05 '14 at 23:02
  • @Hao Kung: Can you please explain part 2? What is the right/best place to do the resign and what do I have to use? When I use ApplicationSignInManager.SignIn(user...) it always resigns the current logged in user (myself) and not the user whose claims I've updated. – mmmato Sep 06 '17 at 09:50
  • You can't sign in someone else, as they need to get the updated cookie, not you – Hao Kung Sep 15 '17 at 22:39