How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?
If you want to enable immediate revocation of cookies, then every request must hit the database to validate the cookie. So the tradeoff between delay is with your database load. But you can always set the validationInterval to 0.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromSeconds(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
Update user's membership role
Have a look at the answer provided by Hao Kung on this post he describes exactly how to solve this using the SecurityStamp .
https://stackoverflow.com/a/19505060/1454538
So the primary purpose of the SecurityStamp is to enable sign out
everywhere. The basic idea is that whenever something security related
is changed on the user, like a password, it is a good idea to
automatically invalidate any existing sign in cookies, so if your
password/account was previously compromised, the attacker no longer
has access.In 2.0.0 we added the following configuration to hook the
OnValidateIdentity method in the CookieMiddleware to look at the
SecurityStamp and reject cookies when it has changed. It also
automatically refreshes the user's claims from the database every
refreshInterval if the stamp is unchanged (which takes care of things
like changing roles etc)
This should get you going.
How to update user role in MVC
If you use ASP.Net Identity 2.0, this is where the SecurityStamp comes to rescue! Calling UpdateSecurityStampAsync will invalidate the user's cookie and refresh its roles:
UserManager.UpdateSecurityStampAsync(userId);
More info: What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?
How to find all users in a role with extended properties value Asp.net Identity 2
Just use:
u.Roles.Any(m => m.RoleId == adminRole.Id)
Instead.
Why ASP.NET MVC app doesn't recognize user role changes right after modification?
Since you are using cookies, you need to ensure the cookie is recreated with the new roles after the new role is assigned (otherwise, the stale cookie sticks around until it is expired). After you grant the new role, you can use the auth manager to sign the user out, then sign them in again, thus recreating their cookie, with the newly added roles. I have included a snippet, but you will have to customize for your code:
IAuthenticationManager authenticationManager = HttpContext.GetOwinContext().Authentication;
authenticationManager.SignOut("ApplicationCookie");
authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
Related Topics
Return JSON with Error Status Code MVC
Automatic Native and Managed Dlls Extracting from Nuget Package
I Need a Fast Runtime Expression Parser
Does a Locked Object Stay Locked If an Exception Occurs Inside It
How to Pass a Single Object[] to a Params Object[]
The Name "Xyz" Does Not Exist in the Namespace "Clr-Namespace:Abc"
If Int32 Is Just an Alias for Int, How Can the Int32 Class Use an Int
Create PDF in Memory Instead of Physical File
How Does Comparison Operator Works with Null Int
Using JSON.Net to Return Actionresult
Proper JSON Serialization in MVC 4
Observablecollection and Threading
Are These Objects's References on the Stack or on the Heap
How to Set Conditional Breakpoints in Visual Studio