1
ApplicationDbContext _context = new ApplicationDbContext();
UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(_context));

I remove a user from a role by the following:

userManager.RemoveFromRole("userId", "roleName");

And it works almost as I would like it to. But if I remove a user who is currently logged in to my application, then he will still be able to "authorize" on all my WebApi calls, untill he has been logged out. What am I doing wrong?

Edit:

Or how can I signout a given user from code?

Simon Sondrup Kristensen
  • 588
  • 1
  • 8
  • 30

1 Answers1

0

Two things:

If you are using OAuth claims, this is a good example of how to invalidate sessions: https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/

Hope this helps!

Community
  • 1
  • 1
Paul Bruce
  • 554
  • 2
  • 7
  • I just don't understand why no other examples out there, which uses "RemoveFromRole" don't address this issue. If you remove someone from Admin role, and his session is set to last one year, then he can screw up everything for your site. Why is there no "easy" way to do this, I see it as a pretty necessary thing to have? – Simon Sondrup Kristensen Dec 19 '16 at 14:38
  • @SimonSondrupKristensen agreed, this could/should be easier for individual entities like role/user/group. i imagine that since there is a standard mechanism (SecurityStamp) that can overcome this, and since this is more of a session/auth caching issue better fit to handle with session validation code (SecurityStamp), it's low on their priorities list. – Paul Bruce Dec 19 '16 at 14:47