Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Disabled Users issue in ASPNET Zero MVC + jQuery #5430


User avatar
0
huntethan89 created

Whenever we disable a user in our application and if the user is already login and using the website, its session should expire. But this does not happen right now and user is able to keep using the website.

However, if disabled user tries to login again then he cannot login, which is correct.

Is this a known issue? What could be the fix for it?

(We are using ASP.NET Zero + jQuery)

Thanks!


10 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team

    If you want to let the user quit immediately, you need to verify the user information for each request (there will be performance issues,).

  • User Avatar
    0
    ryancyq created
    Support Team

    @smartlayer

    Depends on the authentication method being used. For example, cookie authentication, will have it's cookie valid till the expiration.

    There was a similar workaround previously discussed at <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/issues/454">https://github.com/aspnetzero/aspnet-ze ... issues/454</a>

  • User Avatar
    0
    huntethan89 created

    @ryancyq That URL is not working anymore.

    Also, for Cookie authentication, we have it so that it keeps sliding if user is active. So it may never expire sometimes and user may have access as long as they wants. You see the drawback here?

  • User Avatar
    0
    huntethan89 created

    Is it possible to implement something using SignalR where if a user gets disabled, server notifies browser and deletes the cookie?

  • User Avatar
    0
    maliming created
    Support Team
    services.ConfigureApplicationCookie(options =>
    {
    	options.Events.OnValidatePrincipal = context =>
    	{
    		//You can judge here.
    		return Task.CompletedTask;
    	};
    });
    

    <a class="postlink" href="https://github.com/aspnet/Security/blob/a0d6d3e88f974ac8b66890b34d2c28ebd3f25de0/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs#L178">https://github.com/aspnet/Security/blob ... er.cs#L178</a>

    Note: There may be performance issues

  • User Avatar
    0
    huntethan89 created

    This looks like a solution for ASPNet Core. I am using ASP.NET MVC.

    However, in my case I can use OnValidateIdentity in Startup.cs file. But I am not sure how can I validate user here since database seems to be not accessible from here.

  • User Avatar
    0
    maliming created
    Support Team

    please refer: <a class="postlink" href="https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/">https://timmlotter.com/blog/asp-net-ide ... mp-update/</a>

  • User Avatar
    0
    ryancyq created
    Support Team

    <cite>smartlayer: </cite> @ryancyq That URL is not working anymore.

    Also, for Cookie authentication, we have it so that it keeps sliding if user is active. So it may never expire sometimes and user may have access as long as they wants. You see the drawback here?

    @smartlayer, the url provided still valid. You will need to sign in using the GitHub account with the corresponding permission.

    In the issue, there is an workaround for SignalR approach.

  • User Avatar
    0
    huntethan89 created

    This is what I came up with. But it always return null. Even though user is active in database.

    OnValidateIdentity = ctx =>
    {
    	var dbContext = new ProjectLearnDbContext();
    
    	var userIdentifier = ctx.Identity.GetUserIdentifierOrNull();
    	
    	if (userIdentifier != null)
    	{
    		var user = dbContext.Users.FirstOrDefault(x => x.Id == userIdentifier.UserId && x.TenantId == userIdentifier.TenantId);
    
    		if (user == null || user.IsActive == false)
    		{
    			ctx.RejectIdentity();
    		}
    	}
    	
    	return Task.CompletedTask;
    }
    

    I checked what query is running in SQL using SQL Profiler and turns out to be-

    SELECT TOP (1) 
        [Id] AS [Id], 
        [ProfilePictureId] AS [ProfilePictureId], 
        [ShouldChangePasswordOnNextLogin] AS [ShouldChangePasswordOnNextLogin], 
        [AuthenticationSource] AS [AuthenticationSource], 
        [UserName] AS [UserName], 
        [TenantId] AS [TenantId], 
        [EmailAddress] AS [EmailAddress], 
        [Name] AS [Name], 
        [Surname] AS [Surname], 
        [Password] AS [Password], 
        [EmailConfirmationCode] AS [EmailConfirmationCode], 
        [PasswordResetCode] AS [PasswordResetCode], 
        [LockoutEndDateUtc] AS [LockoutEndDateUtc], 
        [AccessFailedCount] AS [AccessFailedCount], 
        [IsLockoutEnabled] AS [IsLockoutEnabled], 
        [PhoneNumber] AS [PhoneNumber], 
        [IsPhoneNumberConfirmed] AS [IsPhoneNumberConfirmed], 
        [SecurityStamp] AS [SecurityStamp], 
        [IsTwoFactorEnabled] AS [IsTwoFactorEnabled], 
        [IsEmailConfirmed] AS [IsEmailConfirmed], 
        [IsActive] AS [IsActive], 
        [LastLoginTime] AS [LastLoginTime], 
        [IsDeleted] AS [IsDeleted], 
        [DeleterUserId] AS [DeleterUserId], 
        [DeletionTime] AS [DeletionTime], 
        [LastModificationTime] AS [LastModificationTime], 
        [LastModifierUserId] AS [LastModifierUserId], 
        [CreationTime] AS [CreationTime], 
        [CreatorUserId] AS [CreatorUserId]
        FROM [dbo].[AbpUsers]
        WHERE ((([TenantId] IS NULL) AND (0 IS NULL)) OR (([TenantId] IS NOT NULL) AND (([TenantId] = 0) OR (([TenantId] IS NULL) AND (0 IS NULL)))) ) AND (([IsDeleted] = 0) ) AND ([Id] = 2) AND (([TenantId] = 1) OR (([TenantId] IS NULL) AND (1 IS NULL)))
    

    There are so many extra conditions which are not required and they are causing null to be returned. Looks like it is happening due to Data Filters. I tried disabling them as well but I cannot access CurrentUnitOfWork in Startup class.

    How can I get the user entity here?

  • User Avatar
    0
    alper created
    Support Team

    hi,

    AspNet Identity checks the SecurityStamp field in SecurityStampValidator.cs

    This method checks if value of SecurityStamp on user entity has been changed. So if SecurityStamp have changed, the cookie is invalidated.

    See this <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/818#issuecomment-175117869">https://github.com/aspnetboilerplate/as ... -175117869</a>