6

I am using ASP.NET identity framework in a ASP MVC 5 application. In some scenarios the current user's role membership is changing, like:

a) The user made a payment, so it removed from TrialUsers and added to Users (or any similar subscription change, say became from Standard to Premium.

b) For site admins there is an explicit UI where they can edit role membership.

EDIT

Meanwhile I discovered a use case what is not only a inconvenience instead a security flaw, and makes authorization unusable.

c) The not recognizing role membership change is applies to the "Remember Me" function of the Identity framework. This means if the user used the remember me function (please do not recommend me not to offer this for my users) then the role membership change will not applied ever. (the expiration of the remembering) This means that I can not effectively revoke any membership. Which means I can not use the authorization subsystem (like attributes on my controllers or action methods) and we are back in the stone-age: if(...)

END EDIT

All changes are done via using the provided standard API:

UserManager.AddToRolesAsync(...);

and

UserManager.RemoveFromRolesAsync(...);

It seems that authorization subsystem and/or identity subsystem does not recognize the change until the user next time signing in. Especially in scenario a) it is very inconvenient to ask the paying user to sign out and sign in. As I see the ASP MVC authorization system does not detect the role changes without sign out->sign in.

Please note I do know that some authorization systems (like Windows) work this way. Still hoping there is a solution in Identity framework to skip forcing the user to sign out->sign in.

Is there any workaround this, or missed I something?

g.pickardou
  • 32,346
  • 36
  • 123
  • 268
  • 3
    there is a solution. You have to re-issue the cookie. Check http://stackoverflow.com/questions/29285406/usermanager-addtoroleuser-id-members-but-user-isinrole-members-is-delaye/29286361#29286361 – tmg Jul 09 '15 at 08:17
  • @tmg: Thx. Meanwhile I've also diagnosed that this is a cookie related thing, see my edit about "Remember Me" which is also based on cookies. Reading the question/answer you pointed. – g.pickardou Jul 09 '15 at 08:24
  • @tmg: and yes it works. A bit complicated, as I want to applied to the role change to _other_ users than the current user in scenario b) and c) but I managed to solve it in a flag in the ApplicationUser. However there is a side effect if I call SignInManager.SignIn(user, false, false) with fixed isPersist = false parameter, the user's cookie KeepMeSignedIn is reset to false. Is there any way to get the current user"s last isPersist login setting (besides the trivial: remembering it in a custom ApplicationUser field in every login) This is out of topic so I create a separate question for this, – g.pickardou Jul 09 '15 at 09:23
  • @tmg: Your comment is definitely an 'Answer' so in case you copy it as answer I am going to accept is as answer. Thanks again. – g.pickardou Jul 09 '15 at 09:35

1 Answers1

2

Just sign in the user again to rebuild the user cookie:

SignInManager.SignIn(user, false, false);
Leonel Sanches da Silva
  • 6,972
  • 9
  • 46
  • 66