locked
Add/remove from roles, not effective until signout RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User410919734 posted

    Hello

    I have an MVC application using roles based authentication, using <Authorize("Role, ....")> on the controllers and actions.
    When I add or remove a user from a role, the effect is immediate in the user interface (displaying/hiding elements using  If um.IsInRole(...) then.
    So far so good, managing roles works fine.

    However, if I remove a user from a role, let's say "Project", the user still has got access to all controllers and actions requiring "Project" authorization, until the user signs out.
    When the user signs out and back in, access to "Project" is denied. likewise with adding.

    Is this intended behaviour, or a bug?
    In either case, how can I make this effective immediately, without forcing the user to sign out? Preferrably of course without any workaround, like checking inside all actions if the user is actually in the required role..

    Monday, January 25, 2016 10:32 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-821857111 posted

    It's unlikely to be a bug. Using the original RoleManager framework, you can cache a user's roles in a cookie, which will stop the database query from executing. You have to opt in to that behaviour in your web.config or you can write your own caching mechanism. I'm not sure how you manage caching when using Identity, but you should check to see if that's what's happening. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 25, 2016 2:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User410919734 posted

    Hello

    So, definitely, I didn't have any custom code caching or anything, but your answer pointed me in the direction to look at Startup.Auth. I realized that there are some new functionality from the box in Identity 2.0, that allows to set a validationinterval. This was not present in identity 1.0 (which code I had in my application)

    I upgraded my application to use Identity 2.0, and now I have this additional code:

    .Provider = New CookieAuthenticationProvider() With {
                .OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUser)(
                    validateInterval:=TimeSpan.FromMinutes(30),
                    regenerateIdentity:=Function(manager, user) user.GenerateUserIdentityAsync(manager))}

    The roles are now checked every 30 minutes, or whatever time I set, so that's a good enough solution for me.

    Thank you, Mike (for this, and for all the great articles in your website!)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 26, 2016 8:01 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-821857111 posted

    It's unlikely to be a bug. Using the original RoleManager framework, you can cache a user's roles in a cookie, which will stop the database query from executing. You have to opt in to that behaviour in your web.config or you can write your own caching mechanism. I'm not sure how you manage caching when using Identity, but you should check to see if that's what's happening. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 25, 2016 2:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User410919734 posted

    Hello

    So, definitely, I didn't have any custom code caching or anything, but your answer pointed me in the direction to look at Startup.Auth. I realized that there are some new functionality from the box in Identity 2.0, that allows to set a validationinterval. This was not present in identity 1.0 (which code I had in my application)

    I upgraded my application to use Identity 2.0, and now I have this additional code:

    .Provider = New CookieAuthenticationProvider() With {
                .OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUser)(
                    validateInterval:=TimeSpan.FromMinutes(30),
                    regenerateIdentity:=Function(manager, user) user.GenerateUserIdentityAsync(manager))}

    The roles are now checked every 30 minutes, or whatever time I set, so that's a good enough solution for me.

    Thank you, Mike (for this, and for all the great articles in your website!)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 26, 2016 8:01 AM