Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to refresh current authenticated user's role changed membership in ASP.NET identity framework?

I am using ASP.NET identity framework in a ASP MVC 5 application. In some scenarios the current user's role membership is changing, like:

a) The user made a payment, so it removed from TrialUsers and added to Users (or any similar subscription change, say became from Standard to Premium.

b) For site admins there is an explicit UI where they can edit role membership.

EDIT

Meanwhile I discovered a use case what is not only a inconvenience instead a security flaw, and makes authorization unusable.

c) The not recognizing role membership change is applies to the "Remember Me" function of the Identity framework. This means if the user used the remember me function (please do not recommend me not to offer this for my users) then the role membership change will not applied ever. (the expiration of the remembering) This means that I can not effectively revoke any membership. Which means I can not use the authorization subsystem (like attributes on my controllers or action methods) and we are back in the stone-age: if(...)

END EDIT

All changes are done via using the provided standard API:

UserManager.AddToRolesAsync(...);

and

UserManager.RemoveFromRolesAsync(...);

It seems that authorization subsystem and/or identity subsystem does not recognize the change until the user next time signing in. Especially in scenario a) it is very inconvenient to ask the paying user to sign out and sign in. As I see the ASP MVC authorization system does not detect the role changes without sign out->sign in.

Please note I do know that some authorization systems (like Windows) work this way. Still hoping there is a solution in Identity framework to skip forcing the user to sign out->sign in.

Is there any workaround this, or missed I something?

like image 302
g.pickardou Avatar asked Jul 09 '15 07:07

g.pickardou


1 Answers

Just sign in the user again to rebuild the user cookie:

SignInManager.SignIn(user, false, false);
like image 63
Leonel Sanches da Silva Avatar answered Oct 07 '22 16:10

Leonel Sanches da Silva