1

I have an Asp.net MVC website. When the users change their password, do the logins from all of the browsers invalidate? I mean will the user require to login on all browsers with the new password? If not, is there a way to do this?

Alireza Noori
  • 14,961
  • 30
  • 95
  • 179

1 Answers1

1

Not immediately, it will take 30 minutes by default for old cookies to invalidate in asp.net Identity 2, asp.net identity doesn't check the database on every request for that, it has an interval, use SecurityStamp to change it, you can set it in Startup.Auth.cs, default is 30 minutes, set the validateInterval to 0, this is not the most efficient approach because on every request the database will be hit to check if the cookies are still valid, but it will do the job if you want to see the effects immediately, also take a look at this and this.

app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            // Enables the application to validate the security stamp when the user logs in.
            // This is a security feature which is used when you change a password or add an external login to your account.  
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromSeconds(0),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        }
    });
Community
  • 1
  • 1
Hamid Mosalla
  • 3,279
  • 2
  • 28
  • 51
  • Thank you very much. I think 30 mins is enough. I was just wondering if it ever invalidates the credential. Glad to know password change will log users out eventually (after 30 mins). – Alireza Noori Jun 09 '15 at 00:07