For example I delete a user, but he can still walk around the site like nothing happened.
For another example, I remove a role from a user to prevent him to access areas on the site that require the role, but until the token expires he can still access them.
So my questions are:
Is there any way I can revoke the claim or token of the user after modifying his roles?
What are the alternatives to the default claim based authorization of Entity Framework, where I can remove access from the user instantly?
What would be the ultimate solution where I don't have to make too many unnecessary calls to the database and I can still do the thing i mentioned in the previous question? For example, could I replace the unnecessary database calls with some kind of memory caching?
CodePudding user response:
You want to have the following configuration in place before you delete the user:
services.Configure<SecurityStampValidatorOptions>(options =>
{
options.ValidationInterval = TimeSpan.FromMinutes(1);
});
Then you want to signout the user just before you delete the user. Then the user cookie will be invalid and the deleted user cannot login again.