Microsoft Identity - removing user from role, but user still has access untill logout

Question

Microsoft Identity - removing user from role, but user still has access untill logout

1k views Asked by Simon Sondrup Kristensen At 28 November 2024 at 06:21

ApplicationDbContext _context = new ApplicationDbContext();
UserManager<ApplicationUser> _userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(_context));

I remove a user from a role by the following:

userManager.RemoveFromRole("userId", "roleName");

And it works almost as I would like it to. But if I remove a user who is currently logged in to my application, then he will still be able to "authorize" on all my WebApi calls, untill he has been logged out. What am I doing wrong?

Edit:

Or how can I signout a given user from code?

Original Q&A

There are 1 answers

**Paul Bruce** · Answer 1 · 2016-12-19 13:59:03

Two things:

Make sure that after changing users/roles, you call _context.SaveChanges()
To require the user's active session to re-validate, use the SecurityStamp feature in ASP.NET. What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?

If you are using OAuth claims, this is a good example of how to invalidate sessions: https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/

Hope this helps!

TechQA.

Microsoft Identity - removing user from role, but user still has access untill logout

There are 1 answers

Related Questions in C#

Related Questions in AUTHENTICATION

Related Questions in AUTHORIZATION

Related Questions in ASP.NET-IDENTITY

Related Questions in USERMANAGER

Popular Questions

Popular Tags

Trending Questions