2

I am using asp.net MVC 5 identity 2.0 The administrator is able to change user’s role but used must re-log to see the changes. First thought was to re-log user manually but I failed. After that I thought of dynamically changing user’s role or something else. Could you provide me the right way? I set user’s role using UserManager.AddToRolesAsync I have tried a lot of things like:

var memberUser = Membership.GetUser(user.UserName.ToString());
if (memberUser.IsOnline)
{
        FormsAuthentication.SignOut();
}

or also try to clean up my cookies. I dunno how I can sign out another user. Also I have read articles like these

http://w3facility.org/question/mvc-5-addtorole-requires-logout-before-it-works/

How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?

How to force logout user when his/her username is changed by another user?

ASP.net Identity 2.0 Sign-out another user

Community
  • 1
  • 1
Bogdan Drachinskiy
  • 95
  • 2
  • 7

1 Answers1

1

Have a look at the answer provided by Hao Kung on this post he describes exactly how to solve this using the SecurityStamp .

https://stackoverflow.com/a/19505060/1454538

So the primary purpose of the SecurityStamp is to enable sign out everywhere. The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.

In 2.0.0 we added the following configuration to hook the OnValidateIdentity method in the CookieMiddleware to look at the SecurityStamp and reject cookies when it has changed. It also automatically refreshes the user's claims from the database every refreshInterval if the stamp is unchanged (which takes care of things like changing roles etc)

This should get you going.

Community
  • 1
  • 1
matt.
  • 2,355
  • 5
  • 32
  • 43
  • First I tried to call UpdateSecurityStampAsync after editing user's role and it didn't work. I waited for quite a long time (about 20 minutes) and nothing happened. Then I changed validateInterval from 30 minutes to 10 seconds after that user refreshed immediately but was logged out but it happened before 10 seconds passed since I edited the user Then I deleted UpdateSecurityStampAsync and it still worked as before but user was logged out. I can set validateInterval to 10 second but I'm not sure about consequences – Bogdan Drachinskiy May 02 '15 at 19:02
  • I'm not sure I quite understand what you mean. Updating the SecurityStamp will not cause the user to be automatically logged out on their end. The cookie has to be sent to the server for it to be invalidated and this has to be done by interaction on the client side. – matt. May 03 '15 at 14:54