Identity isAuthenticated cookie

Question

I have a question regarding ASP.NET Identity provider. I have made a system where you can execute CRUD operations on users and roles, though I have encountered a problem. If I was to delete a user which is already authenticated (signed in) he will still be able to perform actions on the site as he still keeps the authentication and authorization cookie on his local machine. When the user logs out he is no longer able to access the site.

My question: Is there a way to make it so when a page is requested it checks whether the user exists in the database or not? Another way could be to not store 'role' cookies and check (via the database) if the user has the required role to access the page or not. I'm not sure how to configure this. Any help is appreciated.

Answer 1

I found that installing and reading through Microsoft ASP.NET Identity Samples 2.0.0-beta2 found here: https://www.nuget.org/packages/Microsoft.AspNet.Identity.Samples in combination with reading this: https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/SingleSignOutSample/ was very helpful in solving my problem.

Answer 2

We added the SecurityStampValidator specifically for this scenario, basically you configure the CookieMiddleware to check that the user is still valid every so often.

See this question: What is the SecurityStamp

Answer 3

I believe that if you set cacheRolesInCookie="false" in your web.config on the <roleManager> tag you'll get the desired effect. You'll then be able to handle the user no longer being present in the db and redirect the (ex) user as desired.