Base solution for your next web application
Open Closed

OnValidateIdentity logs off all users #5255


User avatar
0
OriAssurant created

Dear Support,

We're using MVC 5.* + AngularJS1.*. We are trying to implement logging off another user when that user's securitystamp gets changed. We set up the OnValidateIdentity event in CookieAuthenticationProvider (UserManager is resolved and registered in OwinContext):

app.CreatePerOwinContext(() => IocManager.Instance.Resolve<UserManager>());

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<UserManager, User, long>(
                            validateInterval: TimeSpan.FromMinutes(1),
                            regenerateIdentityCallback: (manager, user) => manager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie),
                            getUserIdCallback: (ci) => (Int64.Parse(ci.GetUserId())))
    },
    SlidingExpiration = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(30)
});

*: THE GetUserId() is under namespace Microsoft.AspNet.Identity instead of Abp.Runtime.Security.

After doing this, we noticed that all users get signed off (in one minute as I set the validate interval to be 1 minute), no matter whether the user's securitystamp gets updated or not. But we only want to log out users whose securitystamp has been changed. Do I miss something or do anything wrong in setting up the cookie authentication provider?

Thank you,


4 Answer(s)
  • User Avatar
    0
    OriAssurant created

    We separate our host database and tenant databases. And tenant users only exists in their own tenant databases. Would that cause the UserManager not able to find any user so that identityvalidation all fail and log out all users?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    This might help <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/818#issuecomment-175117869">https://github.com/aspnetboilerplate/as ... -175117869</a>. Have you tried it with a Tenant which uses host database ?

  • User Avatar
    0
    OriAssurant created

    <cite>ismcagdas: </cite> Hi,

    This might help <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/818#issuecomment-175117869">https://github.com/aspnetboilerplate/as ... -175117869</a>. Have you tried it with a Tenant which uses host database ?

    Yeah, it's working for users in host database but not tenant users.. Finally I resolved it with the combination of EventBus and Signalr (Register the Signalr client in layout.js so that the logout event could always be triggered for the target user no matter which page the target user is on). Thank you!

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks for sharing your solution :)