ASP.Net MVC FormsAuthentication - ability to disable user while using a "remember me" persistent cookie

Question

I'm using the built-in Membership for logins with FormsAuthentication. I want allow the administrator disable other user accounts, I've thought of changing the IsApproved property of the user to false, but it didn't work and still showed the user as logged in. I figure this happened because of the persistent cookie I've previously set with SetAuthCookie for the user.

I've looked into FormsAuthenticationTicket and SetAuthCookie, I can't seem to find how to re-validate them occasionally against the repository to make sure the user still exists/is active.

Is this covered by the existing functionality?

Thanks

Answer 1

It really depends on how your authentication pipeline works, here is a general idea: with every request get the data for the user from DB:

public User CurrentUser
        {
            get
            {
                if (_CurrentUser == null && Request.IsAuthenticated)
                {
                    //your method to get the user
                    _CurrentUser = _UserRepository.GetUserByEmail(HttpContext.User.Identity.Name); 
                }
                return _CurrentUser;
            }
        }

Then with an ActionFilter you can check:

 protected override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            //user enabled?
            if (CurrentUser != null && !CurrentUser.IsApproved)
            {
                //Force LogOut
                //Redirect to LogOut
                filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary {{ "Controller", "Account" },
                                      { "Action", "LogOff" } });
            }
}