.Net 4.5.1 / MVC 5.1.2 / Identity 2.0.1
Greetings,
I needed a way for administrators to disable (can't delete) user accounts so I set the LockoutEndDateUTC field to a future date and I already had the LockoutEnabled field set to true for all users. There's another SO thread, here, that talks about the same method. This obviously works but only if the user has to enter a username/password.
Here's the problem... If the user has set the auth cookie with the "Remember Me" functionality prior to being disabled, the lockout is not being checked and all subsequent visits are authenticated and the "lockout" is ultimately overlooked.
Firstly, I believe this to be a bug in Identity and I've already logged an issue on codeplex.
Second, Is there a better way to disable a user in version 2.0?
Thank you!
Locked out users are prevented from logging in, but indeed being locked out does not reject existing cookies, otherwise malicious users could cause the real user's cookie to get rejected otherwise. Of course if you do want this behavior, you can just simply call UpdateSecurityStamp on the user who's locked out in your Login action, this will reject existing cookies the next time they are validated against the database.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With