2

I am using QuickStart UI for Identity Server to login users from multiple mvc clients. The users then have the ability to switch their role based on a dropdown using userManager.AddToRoleAsync(roleName). I would like to refresh the cookie and use User.IsInRole() without forcing the user to log out.

Things I have tried:

  1. Setting the Cookie's ExpireTimeSpan and Max age to 1 second (This works but I would like to use this to log out users after 20 minutes of inactivity.
  2. Setting UpdateAccesstokenClaisOnrefresh to true and requesting a refresh token (Does not work)
  3. Updating the security stamp (Does not work)
Gil León
  • 21
  • 3

1 Answers1

2

You can issue a new cookie at the time of the role change, however that will only change the user's role in the current session. If they have other sessions open on different tabs or devices, those sessions will remain with the old cookie.

The cookie is a "stamp of approval" that the user is authenticated, when the app receives a valid cookie it only does minimal checks (like verifying the security stamp) and then approves the user with the claims present in the cookie.

A possible solution to your problem might be to change your app so that instead of storing the user claims in the cookie it fetches them from the database at each request, with caching (to avoid excessive DB requests). Then you can invalidate that cache if you know that the user changed roles.

Aviad P.
  • 32,036
  • 14
  • 103
  • 124