I'm working with a migration of the website for my Umbraco-package Newsletter Studio, from Umbraco 8 to Umbraco 17.
I use Umbraco Members to allow customers to login and manage their licenses, update information and download receipts.
New password = Member logged out
When I was working on a feature to allow customers to change password, I noticed that I kept getting thrown out from the logged in area of the website after changing the password.
The Member was throw out both:
- When they change password them selfs
- When the password was changed in from the backoffice
I searched around for this, and it turns out that this is security feature.
Umbraco has introduce settings around concurrent logins both for Users and Members, in appsettings.json one can configure these
"Umbraco": {
"CMS": {
"Security": {
"AllowConcurrentLogins": false
"MemberAllowConcurrentLogins": false
}
}
}According to the documentation, MemberAllowConcurrentLogins will fallback to the value of AllowConcurrentLogins, which is set to false by default.
What happened?
When the user changed the password, it looked like a new login, since this was not allowed the user was thrown out.
There is two ways around this, one could refresh the users login cookie by calling _memberSignInManager.SignInAsync() after the password change.
var currentMember = await _memberManager.GetCurrentMemberAsync();
var currentPasswordIsValid = await _memberManager.ValidateCredentialsAsync(currentMember.UserName!, model.CurrentPassword!);
if (!currentPasswordIsValid)
{
return Error();
}
var changePasswordResult = await _memberManager.ChangePasswordAsync(
currentMember,
model.CurrentPassword!,
model.NewPassword!);
if (!changePasswordResult.Succeeded)
{
return Error();
}
// Refresh member authentication cookie
await _memberSignInManager.SignInAsync(currentMember, true, "");Or, one could set AllowConcurrentLogins to true.