Identity isAuthenticated cookie

Question

I have a question regarding ASP.NET Identity provider. I have made a system where you can execute CRUD operations on users and roles, though I have encountered a problem. If I was to delete a user which is already authenticated (signed in) he will still be able to perform actions on the site as he still keeps the authentication and authorization cookie on his local machine. When the user logs out he is no longer able to access the site.

My question: Is there a way to make it so when a page is requested it checks whether the user exists in the database or not? Another way could be to not store 'role' cookies and check (via the database) if the user has the required role to access the page or not. I'm not sure how to configure this. Any help is appreciated.

You can write your own custom attribute and decorate classes/methods with it — Jonesopolis, Mar 28 '14 at 15:11

score 2 · Accepted Answer · edited May 23 '17 at 10:31

2

We added the SecurityStampValidator specifically for this scenario, basically you configure the CookieMiddleware to check that the user is still valid every so often.

See this question: What is the SecurityStamp

edited May 23 '17 at 10:31

Community

1
1

answered Mar 28 '14 at 16:56

Hao Kung

28,040
6
84
93

So, i've been trying to get this thing working by reading through the following sample: 'https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Identity-PasswordPolicy/Identity-PasswordPolicy/' In your post you're saying I should call the 'UserManager.UpdateSecurityStampAsync(userId)' method to update the user's security stamp. I've implemented the OnValidateIdentity method in my Startup class. Now my question is: will I have to customize the 'ApplicationUserManager' class in some way to get this working? I want this validation check to happen when a 3rd party user is deleted. – Andreas Apr 02 '14 at 09:10
See http://stackoverflow.com/questions/22682663/how-to-hold-the-cookies-claims-updated-with-mcv5-owin/22796932#22796932 – Hao Kung Apr 02 '14 at 18:41

score 1 · Answer 2 · answered Mar 28 '14 at 15:12

1

I believe that if you set cacheRolesInCookie="false" in your web.config on the <roleManager> tag you'll get the desired effect. You'll then be able to handle the user no longer being present in the db and redirect the (ex) user as desired.

answered Mar 28 '14 at 15:12

Marc

924
1
8
18

Andreas · Answer 3 · 2014-04-06T13:39:31.553

0

I found that installing and reading through Microsoft ASP.NET Identity Samples 2.0.0-beta2 found here: https://www.nuget.org/packages/Microsoft.AspNet.Identity.Samples in combination with reading this: https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/SingleSignOutSample/ was very helpful in solving my problem.

edited Apr 06 '14 at 13:39

answered Apr 06 '14 at 12:40

Andreas

185
12

Identity isAuthenticated cookie

3 Answers3