1
Answer

How to invalid all the access token what ever assigned to a

Hi Friends 
 
How to invalid all the access token what ever assigned to a user after change password or forgot password. 
 
(requirement is like this :-
if the use is logged in in multipule devices and he changed password from one device. the other devices should logout automatically. 
 
i am using AspnetIdentity and webapi 2.0 
is there any way to do so ?
 
any Ideas will be appreciated. 

Answers (1)

0
Photo of Srikant Maruwada
NA 501 4.4k 7y
You can try from following url
 
https://timmlotter.com/blog/asp-net-identity-invalidate-all-sessions-on-securitystamp-update/
After you change the password you also need to change the SecurityStamp:
  1. await UserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword, model.NewPassword); await UserManager.UpdateSecurityStampAsync(User.Identity.GetUserId());  
If you want the user to remain logged in, you have to reissue a new authentication cookie (signin):
  1. await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);  
Otherwise the user/session who initated the password change will also be logged out.
 
And to log out all other sessions immediately you need to lower the check interval in the config:
  1. app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login"), Provider = new CookieAuthenticationProvider { // Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromSeconds(1), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)) } });