I am using ASP.NET identity framework in a ASP MVC 5 application. In some scenarios the current user's role membership is changing, like:
a) The user made a payment, so it removed from TrialUsers and added to Users (or any similar subscription change, say became from Standard to Premium.
b) For site admins there is an explicit UI where they can edit role membership.
EDIT
Meanwhile I discovered a use case what is not only a inconvenience instead a security flaw, and makes authorization unusable.
c) The not recognizing role membership change is applies to the "Remember Me" function of the Identity framework. This means if the user used the remember me function (please do not recommend me not to offer this for my users) then the role membership change will not applied ever. (the expiration of the remembering) This means that I can not effectively revoke any membership. Which means I can not use the authorization subsystem (like attributes on my controllers or action methods) and we are back in the stone-age: if(...)
END EDIT
All changes are done via using the provided standard API:
UserManager.AddToRolesAsync(...);
and
UserManager.RemoveFromRolesAsync(...);
It seems that authorization subsystem and/or identity subsystem does not recognize the change until the user next time signing in. Especially in scenario a) it is very inconvenient to ask the paying user to sign out and sign in. As I see the ASP MVC authorization system does not detect the role changes without sign out->sign in.
Please note I do know that some authorization systems (like Windows) work this way. Still hoping there is a solution in Identity framework to skip forcing the user to sign out->sign in.
Is there any workaround this, or missed I something?
Just sign in the user again to rebuild the user cookie:
SignInManager.SignIn(user, false, false);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With