MVC 5 current claims autorization and updating claims

Question

I have 2 questions regarding the claims:

1) In .Net 4.5 and MVC 5 how does the microsoft implements the autorization, when you set on controller AuthorizeAttirubte, does it check the database to get the user role? Or it uses the claims?

I've read somewhere that microsoft uses database each time to verify the role, and they advised to write a new AuthorizeAttribute to implement claims authentication.

This is the article i'm talking about: http://kevin-junghans.blogspot.be/2013/10/improving-performance-of.html

Or is it outdated and now microsoft uses the roles in claims?

2) Second question regarding the update of claims:

Imagine when user logs in, I set his display name as a claim. The user has ability to change his display name, so he changes it, but he still sees his old display name, untill he reasigns in the webiste.

Would it be correct to somehow update the claim ....? And how to do it?

Answer 1

1. The authorize attribute is using things off the User.Identity like IsAuthenticated/IsUserInRole, which indirectly looks at claims. Database access is based on when the sign in cookie is refreshed as opposed to the authorize check, so its orthogonal.
2. Claims are updated when the sign in cookie is generated (database hit). To force an update of the claims, you can just resign in the user which forces the update.