Try our conversational search powered by Generative AI!

Permissions not taking immediate effect


I’m new to EpiServer and wondered if someone could explain whether the below is default EpiServer behavior or a bug in our particular setup.

We are running EpiServer to power our Intranet and have it setup with user information coming over from Active Directory but security groups being managed by EpiServer; users are automatically logged into the EpiServer CMS when they open their browser and logging out or switching login accounts is not permitted.

During my testing I’ve found that adding/removing users from EpiServer security groups does not take effect until the user starts a new browser/login session i.e. they either close and re-open their browser OR allow their session to time-out.

Is it default EpiServer behavior to find that removing a user from the Administrators group, for example, does not take affect until the user closes their browser e.g. you remove a user from the administrators group and find that the security change does not instantly take effect and the user continues to have full administrator access, including the ability to re-add their account to the administrator group, until a new browser/login session is started?

Any information regarding whether the above is an implementation/configuration issue on our environment or default EpiServer behavior would be appreciated.

Apr 02, 2015 11:18

This looks like it could be connected to the roleManager configuration in your web.config, specifically the "cacheRolesInCookie". When a user logs in their roles are assessed and cached in a cookie. This means those roles are not re-assesed until they next log in (or in your case they open a new browser window/session). See more information about this attribute here:

You can try switching the caching off and see if this creates the desired behaviour.


Apr 02, 2015 11:45

Many Thanks David - I'll give it a try

Apr 02, 2015 12:42

Be careful with disabling cacheRolesInCookie with any provider but AD through LDAP in particular.

Apr 02, 2015 13:55

Good point Johan, I didn't mention that this does mean you will query AD on each request. In an intranet scenario this may be OK but certainly worth checking... 

Apr 02, 2015 16:18
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.