Whenever we disable a user in our application and if the user is already login and using the website, its session should expire. But this does not happen right now and user is able to keep using the website.
However, if disabled user tries to login again then he cannot login, which is correct.
Is this a known issue? What could be the fix for it?
(We are using ASP.NET Zero + jQuery)
Thanks!
10 Answer(s)
-
0
If you want to let the user quit immediately, you need to verify the user information for each request (there will be performance issues,).
-
0
@smartlayer
Depends on the authentication method being used. For example, cookie authentication, will have it's cookie valid till the expiration.
There was a similar workaround previously discussed at <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/issues/454">https://github.com/aspnetzero/aspnet-ze ... issues/454</a>
-
0
@ryancyq That URL is not working anymore.
Also, for Cookie authentication, we have it so that it keeps sliding if user is active. So it may never expire sometimes and user may have access as long as they wants. You see the drawback here?
-
0
Is it possible to implement something using SignalR where if a user gets disabled, server notifies browser and deletes the cookie?
-
0
services.ConfigureApplicationCookie(options => { options.Events.OnValidatePrincipal = context => { //You can judge here. return Task.CompletedTask; }; });<a class="postlink" href="https://github.com/aspnet/Security/blob/a0d6d3e88f974ac8b66890b34d2c28ebd3f25de0/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs#L178">https://github.com/aspnet/Security/blob ... er.cs#L178</a>
Note: There may be performance issues
-
0
This looks like a solution for ASPNet Core. I am using ASP.NET MVC.
However, in my case I can use OnValidateIdentity in Startup.cs file. But I am not sure how can I validate user here since database seems to be not accessible from here.
-
0
please refer: <a class="postlink" href="https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/">https://timmlotter.com/blog/asp-net-ide ... mp-update/</a>
-
0
<cite>smartlayer: </cite> @ryancyq That URL is not working anymore.
Also, for Cookie authentication, we have it so that it keeps sliding if user is active. So it may never expire sometimes and user may have access as long as they wants. You see the drawback here?
@smartlayer, the url provided still valid. You will need to sign in using the GitHub account with the corresponding permission.
In the issue, there is an workaround for SignalR approach.
-
0
This is what I came up with. But it always return null. Even though user is active in database.
OnValidateIdentity = ctx => { var dbContext = new ProjectLearnDbContext(); var userIdentifier = ctx.Identity.GetUserIdentifierOrNull(); if (userIdentifier != null) { var user = dbContext.Users.FirstOrDefault(x => x.Id == userIdentifier.UserId && x.TenantId == userIdentifier.TenantId); if (user == null || user.IsActive == false) { ctx.RejectIdentity(); } } return Task.CompletedTask; }I checked what query is running in SQL using SQL Profiler and turns out to be-
SELECT TOP (1) [Id] AS [Id], [ProfilePictureId] AS [ProfilePictureId], [ShouldChangePasswordOnNextLogin] AS [ShouldChangePasswordOnNextLogin], [AuthenticationSource] AS [AuthenticationSource], [UserName] AS [UserName], [TenantId] AS [TenantId], [EmailAddress] AS [EmailAddress], [Name] AS [Name], [Surname] AS [Surname], [Password] AS [Password], [EmailConfirmationCode] AS [EmailConfirmationCode], [PasswordResetCode] AS [PasswordResetCode], [LockoutEndDateUtc] AS [LockoutEndDateUtc], [AccessFailedCount] AS [AccessFailedCount], [IsLockoutEnabled] AS [IsLockoutEnabled], [PhoneNumber] AS [PhoneNumber], [IsPhoneNumberConfirmed] AS [IsPhoneNumberConfirmed], [SecurityStamp] AS [SecurityStamp], [IsTwoFactorEnabled] AS [IsTwoFactorEnabled], [IsEmailConfirmed] AS [IsEmailConfirmed], [IsActive] AS [IsActive], [LastLoginTime] AS [LastLoginTime], [IsDeleted] AS [IsDeleted], [DeleterUserId] AS [DeleterUserId], [DeletionTime] AS [DeletionTime], [LastModificationTime] AS [LastModificationTime], [LastModifierUserId] AS [LastModifierUserId], [CreationTime] AS [CreationTime], [CreatorUserId] AS [CreatorUserId] FROM [dbo].[AbpUsers] WHERE ((([TenantId] IS NULL) AND (0 IS NULL)) OR (([TenantId] IS NOT NULL) AND (([TenantId] = 0) OR (([TenantId] IS NULL) AND (0 IS NULL)))) ) AND (([IsDeleted] = 0) ) AND ([Id] = 2) AND (([TenantId] = 1) OR (([TenantId] IS NULL) AND (1 IS NULL)))There are so many extra conditions which are not required and they are causing null to be returned. Looks like it is happening due to Data Filters. I tried disabling them as well but I cannot access CurrentUnitOfWork in Startup class.
How can I get the user entity here?
-
0
hi,
AspNet Identity checks the SecurityStamp field in SecurityStampValidator.cs
This method checks if value of SecurityStamp on user entity has been changed. So if SecurityStamp have changed, the cookie is invalidated.
See this <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/818#issuecomment-175117869">https://github.com/aspnetboilerplate/as ... -175117869</a>
