Blocked Users Can Log In If They Have Auth Cookies

Question

Blocked Users Can Log In If They Have Auth Cookies

.Net 4.5.1 / MVC 5.1.2 / Identity 2.0.1

Greetings

I needed so that administrators could disable (not delete) user accounts, so I set the LockoutEndDateUTC field to a future date and I already had the LockoutEnabled field for true for all users. There's another SO thread here , which talks about the same method. This clearly works, but only if the user must enter a username / password.

Here's the problem ... If the user set an auth cookie with the Remember Me function before disconnecting, the lock is not checked, and all subsequent visits are authenticated, and the “lock” is ultimately ignored.

Firstly, I think this is a bug in Identity, and I have already registered the problem on codeplex.

Secondly, is there a better way to disable a user in version 2.0?

Thank!

+4

asp.net-mvc asp.net-identity

Mike Jun 19 '14 at 16:58

source share

1 answer

Hao kung · Accepted Answer · 2014-06-19T21:57:52+0000

Blocked users cannot log in, but, in fact, they are blocked, they do not discard existing cookies, otherwise malicious users can lead to the refusal of a real cookie. Of course, if you really want this behavior, you can simply call UpdateSecurityStamp for a user who is blocked in your Login action, this will reject existing cookies the next time they are checked against the database.

Blocked Users Can Log In If They Have Auth Cookies

More articles: