CODEWITHSUNDEEP
c#asp.net-web-apiasp.net-identity
Benjamin E.
Benjamin E.

Reputation: 5172

ASP.NET Identity sign out another user

Just like in this question, I want to sign out another user via updating the Security Stamp. However it doesn't work when testing on my local machine. I suspect the problem might be with the order of commands I'm using to reset a user and persisting the different properties to the db.

That's my Startup.Auth

public partial class Startup
{
    public static TimeSpan expireTimeSpan = TimeSpan.FromHours(24);
    public static IDataProtectionProvider DataProtectionProvider { get; private set; }

    public void ConfigureAuth(IAppBuilder app)
    {
        app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            ExpireTimeSpan = expireTimeSpan,
            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

        DataProtectionProvider = app.GetDataProtectionProvider();
    }
}

And this is a controller method that allows changing another users email == username. On changing the email, the user is supposed to be logged out and not have a valid password anymore.

public async Task<IHttpActionResult> UpdateUser(string id, ApplicationUser newUser)
{
    var user = await _userManager.FindByIdAsync(id);
    if (user == null) ...

    IdentityResult result;

    user.name = newUser.name;
    user.roles = newUser.roles;

    // sign out user and invalidate password
    if (user.email != newUser.email)
    {
        user.email = newUser.email;
        user.PasswordHash = null;

        result = await _userManager.UpdateSecurityStampAsync(user.Id);
        if (!result.Succeeded) throw new Exception("Security Stamp not updated.");

        await _account.SendPasswordEmail(user);
    }

    result = await _userManager.UpdateAsync(user);
    if (!result.Succeeded)
        return GetErrorResult(result);

    return Ok();
}

I have tried persisting the user first, then generating a new SecurityStamp, but that didn't work either.

Any ideas what could be wrong?

Thanks!

Upvotes: 0

Views: 1606

Answers (1)

Erik Funkenbusch
Erik Funkenbusch

Reputation: 93454

Apparently you didn't read the answer in the question you linked to clearly.

// important to register UserManager creation delegate. Won't work without it
app.CreatePerOwinContext(UserManager.Create);

This is further explained here:

https://aspnetidentity.codeplex.com/workitem/2209

However, you should be aware of this bug:

ExpireTimeSpan ignored after regenerateIdentity / validateInterval duration in MVC Identity (2.0.1)

This will be fixed in the forthcoming Identity 2.2/Owin 3.0 release, but is not yet final.

https://aspnetidentity.codeplex.com/workitem/2347

Also see this blog article:

http://tech.trailmax.info/2014/08/cookieauthenticationprovider-and-user-session-invalidation-on-change-of-securitystamp/

Upvotes: 1

Related Questions