I need to immediately cancel and log out any other registered sessions when the user changes his password, but allows the active session (which has just updated the password) to remain in the system.
To do this, I use a method UpdateSecurityStampAsync(currentUser.Id);in the UserManager. All other sessions completed successfully, but the active session also logs off despite being called SignInAsyncafter updating the security stamp.
The Identity configuration I'm using is as follows:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
},
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
SlidingExpiration = false,
ExpireTimeSpan = TimeSpan.FromMinutes(10)
});
A snippet of the controller code that updates the password, updates the security stamp, and possibly logs the current user:
var updateResult = await _userManager.ChangePasswordAsync(currentUser.Id, form.CurrentPassword, form.NewPassword);
if (!updateResult.Succeeded)
{
}
_signInManager.AuthenticationManager.SignOut();
await _userManager.UpdateSecurityStampAsync(currentUser.Id);
await _signInManager.SignInAsync(currentUser, false, false);
, - . , (, ), cookie .
:
: .
- , ?
EDIT:
, DefaultAuthenticationTypes SignOut.
:
await _userManager.UpdateSecurityStampAsync(currentUser.Id);
_signInManager.AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
await _signInManager.SignInAsync(currentUser, false, false);
, - , ?