User session expires (other than current user)
I am adding a custom column Disabled
to my table AspNetUsers
so that the administrator can temporarily disable the account. (It LockoutEndDateUtc
doesn't seem to work the way I want it to.)
But what if the administrator disables the account during user logon? Rather than checking if the current user account is disabled on every request, I am looking for a way to expire this user session so that the next request will require them to be signed in.
I believe this is controlled by the cookie. Is it possible?
source to share
In fact, this can be done automatically. In ASP.NET Identity, there is a property in the user store called SecurityStamp
. When you change this, the user is forced to re-authenticate with the next request. This is because this field is used to generate an authentication token (cookie in your case). The framework has methods built into it to change this either directly UpdateSecurityStampAsync
or indirectly. A good example of when it changes indirectly is when the authentication password is updated through the framework (i.e. invoke UpdatePassword
or RemovePasswordAsync
) or when authentication is enabled using two factors for authentication.
The method for changing the security stamp can be found in UserManager
and is called UpdateSecurityStampAsync . From the documentation:
Creates a new user security token used for SignOutEverywhere functions.
source to share