Asp .NET Identity Cookie Authentication

489 views Asked by At

I'm using MVC 5 default template with "Individual Accounts" selected for authentication. it uses ASP .NET Identity with Entity Framework.

Using Chrome I opened the app and Registered a user and then login with the user. I accidentally deleted the database. Now when I open the app again in Chrome it still shows me signed in since auth cookie persists in browser. However the user that is logged in doesn't exists in the database.

Is it the correct behavior?
If not then any suggestions on how to prevent it?

1

There are 1 answers

1
Martin On BEST ANSWER

That's correct behaviour. As long as the auth cookie is valid and not expired your app assumes the user is authenticated.

When you disable or (soft) delete a user, you should call UserManager.UpdateSecurityStamp(string userId) which causes the auth cookie to be invalid on next check.