I use MVC (4) with Identity (2.0), and my webapp has an admin page for user management.
One functionality of admins is inactive (freeze) user account as I implemented it:
Add a field in my database called "Active", and if the administrator disconnects the user, the value of the field is "0".
In order not to check that every user on every page of my site only runs it when the user tries to log in, so before I let him log in, I check this field.
But now I have a problem:
Example of use: the administrator deactivates the user account "x", and after 10 minutes the user "x" will log on to the site and the site "Remember" him and will not ask him to log in so that my check never happens,
if the site "remembers" the user and does not ask him to log in, I’m in trouble, I need to somehow remove the user.
I read about cookies and the security brand, and my conclusion is:
I need to change the user's security stamp so that the site does not “remember” the user and allows him not to log in.
First: I got it right? change the user’s security mark and the site doesn’t remember him?
: , , , ? ? ?
... :)
: , - (, , ), ?
Update2: GUID ( ), .