1

Using an OWIN AuthenticationHandler within an MVC site, I sign in a user as follows:

var claims = new List<Claim> { new Claim(ClaimTypes.Role, UIRoles.PowerUser) };
var identity = session.ToClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie, claims);
Context.Authentication.SignIn(identity);

At some point at a later time, I check that the user is a PowerUser:

User.Identity.HasRole(UIRoles.PowerUser)

This works on my local IIS, but once I publish it on a remote IIS machine, it always returns False when I try to check if the user is a PowerUser. Why could this happen? Am I missing something from, say, the IIS server's configuration or within the remote machine's web.config?

Alexandru
  • 12,264
  • 17
  • 113
  • 208
  • Have you created the roles on the live Database, and is the user a member of those roles? As a test can you point your local web.config at the live database and debug that line of code. (I am assuming that your remote IIS machine is using a separate database) – MichaelLake Dec 31 '15 at 13:08
  • @MichaelLake The `web.config` does not point to any database when I run it locally. Is that not supposed to be the case? I thought these roles were just stored inside of the application cookie. – Alexandru Dec 31 '15 at 13:16
  • When using the remote IIS machine - is the Auth cookie present on the client? – MichaelLake Dec 31 '15 at 13:27
  • @MichaelLake Yes, it appears to be there, within `All cookies and site data...` in Chrome, and I can also verify that once I authenticate myself the cookie is present using a Cookie Inspector extension. – Alexandru Dec 31 '15 at 13:32
  • Does this help? http://stackoverflow.com/questions/21404935/mvc-5-access-claims-identity-user-data?rq=1 – MichaelLake Dec 31 '15 at 14:02
  • @MichaelLake I narrowed it down. On the remote machine, I am signing in correctly and the claim is there initially, but I think something is renewing the session cookie and removing the claim at a later point in time. – Alexandru Dec 31 '15 at 15:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/99413/discussion-between-michaellake-and-alexandru). – MichaelLake Dec 31 '15 at 15:25

1 Answers1

1

I found the cause. It is a bit silly. I was reissuing cookies when I wanted to renew the user's session and the problem was that the SessionInfo object I was renewing these cookies to were being replaced with another SessionInfo object without any extra claims:

session.ToClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

This was wiping the extra claim of UIRoles.PowerUser from the original cookie for me.

Alexandru
  • 12,264
  • 17
  • 113
  • 208