Reputation: 13233
SimpleMembership taking away user authentication?
I'm making a new MVC 4 website and I have setup SimpleMembership. I have also created a CustomPrincipal which inherits from RolePrincipal and has one additional property named UserInfo which contains additional information about the user such as LastName, FirstName and IsActive. This is all stored in the cookie via FormsAuthenticationTicket userData property.
My question is the following. Suppose I have a management page where admin user can disable other user's accounts - set IsActive property to false. Suppose at the same the user which is being disabled is actually currently logged in. I don't want this user to be able to continue to navigate the site if he was denied his access rights.
How can I kill his session meaning destroy his FormsAuthentication cookie? Is this the correct thing to do or is there something else in SimpleMembership that I'm missing? What is the proper path to achieve this task? Any advise would be appreciated...
Upvotes: 4
Views: 436
Answers (1)
Reputation: 4277
I would suggest combining the use of Application_AuthenticateRequest and ASP.NET Cache, as follows:
1) When a user is deleted, write the user ID into the ASP.NET Cache, where it can sit for a finite period of time (perhaps one day):
string cacheKey = "RecentlyDeletedUserId" + userId;
Cache.Add(
cacheKey,
true,
null,
DateTime.Now.AddDays(1),
null,
CacheItemPriority.Normal,
null
);
2) In global.asax, you can add the Application_AuthenticateRequest handler, which is fired for every request after the forms authentication ticket is successfully received by the server. In this handler, you make one cheap, in-memory cache request to see if that user in on the list of recently deleted users. If they are, you sign them out and redirect them to the login page.
protected void Application_AuthenticateRequest(object sender, EventArgs e) {
string cacheKey = "RecentlyDeletedUserId" + userId;
if (Cache[cacheKey] != null)
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
}
If for some reason you don't like the redirect approach, you could otherwise take an approach like this:
protected void Application_AuthenticateRequest(object sender, EventArgs e) {
string cacheKey = "RecentlyDeletedUserId" + userId;
if (Cache[cacheKey] != null)
{
IPrincipal anonymousPrincipal = new GenericPrincipal(new GenericIdentity(String.Empty), null);
Thread.CurrentPrincipal = anonymousPrincipal;
HttpContext.Current.User = anonymousPrincipal;
}
}
This simply replaces the user with an anonymous user, which ensures that the user will not be able to do anything on your site. (This alternate approach is from Invalidating ASP.NET FormsAuthentication server side.)
Upvotes: 3
Related Questions
- SimpleMembership with ASP.Net MVC 4 project
- SimpleMembership in a Intranet Application
- MVC 4 Simplemembership confusion with Session
- ASP.NET MVC authenticates and authorizes non-existent users
- asp.net mvc 4: simplemembership - WebSecurity.Login fails when the user is not confirmed
- SimpleMembership fails first login attempt
- SimpleMembership Presents Login Form to Authenticated User
- MVC 4 Simplemembership
- SimpleMembership with ASP.Net Web application (NO MVC, NO RAZOR. Just standard .net web project)
- SimpleMembershipProvider