29

I've read this and while it explains how role changes will eventually propagate to the user cookie after some time interval, I still don't understand how I force an immediate change to user roles.

Do I really have to sign the user out when I change his roles as administrator? If so — how? If I use AuthenticationManager.SignOut(); then I sign off myself (admin), not the user, whose roles I want to change.

Currently I use await UserManager.UpdateSecurityStampAsync(user.Id); to generate a new security stamp, but it does not work. When I refresh a page in another browser while logged in as another user his claims (including security stamp) do not change.

pixelmeow
  • 654
  • 1
  • 9
  • 31
Intoccabil
  • 313
  • 1
  • 4
  • 7

1 Answers1

18

If you want to enable immediate revocation of cookies, then every request must hit the database to validate the cookie. So the tradeoff between delay is with your database load. But you can always set the validationInterval to 0.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromSeconds(0),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});
Rey
  • 3,663
  • 3
  • 32
  • 55
Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • 5
    Thank you, Hao. That's what I thought initially and it does indeed solve the problem, so I am accepting this as an answer. But is there no way to invalidate a cookie for a specific user? I mean, that's a pretty serious tradeoff to solve such a seemingly small task. – Intoccabil Jun 20 '14 at 07:06
  • 1
    Another thing is that with zero validation interval ```AuthenticationManager.SignOut();``` ceases to work and user is being logged out only if I include ```await UserManager.UpdateSecurityStampAsync(userId);```. Doesn't seem too right to me. – Intoccabil Jun 20 '14 at 08:18
  • 4
    Ah yes, so there is a bit of a weird interaction there, since SignOut is telling the app to clear the cookie, but regenerateIdentity tells OWIN to set a new sign in cookie. I believe this is a bug in Owin that will be fixed in a future version (SignOut should always win) – Hao Kung Jun 20 '14 at 19:33
  • This is the same problem I am having, the user cannot log out as AuthenticationManager.SignOut() does not sign out with an zero validation interval. – Rhys Stephens Feb 18 '15 at 04:31
  • @HaoKung I have this issue now - see http://stackoverflow.com/a/33670509/24109 - do you know a solution here? – Matt Roberts Nov 12 '15 at 11:37
  • You can also use [TimeSpan.Zero](https://learn.microsoft.com/en-us/dotnet/api/system.timespan.zero?view=netframework-4.7.2) rather than parsing from seconds – Marie Dec 03 '18 at 14:40