Issue with [Authorize]

Jul 11, 2014 at 2:52 PM
Edited Jul 11, 2014 at 2:53 PM
Hi all,

I have stumbled upon the following issue: A user that has authenticated will be granted access to resources marked with [Authorize] even if the corresponding User entity has been deleted.

This can easily be reproduced with the latest samples: Install-Package Microsoft.AspNet.Identity.Samples -Version 2.0.0-beta2 –Pre . Here are the steps:

1) Create an account and login (Use "Remember me"). At this point there is a cookie that says - "you are authenticated".
2) Delete the whole database.
3) Start the project again - you will notice that the header displays all of your data like email,etc. I guess that is fine since the data comes from the cookie that is still available. The problem is that all resources with [Authorize] will be accessible because the cookie says so even though the user is no longer available.

How should one deal with this situation?
Jul 11, 2014 at 6:45 PM
In the scenario you mentioned, it is the cookiemiddleware is reading the cookie in the request to create an authenticated user. In the Startup.Auth class where the cookie middleware is hooked in, the OnValidateIdentity callback is called everytime a valid user is created from the cookie. If you make the timespan zero, then the request is checked each time with the user in the database. This is a known design behavior and not an issue. The timespan is not zero since we don't want to hit the database for each request.