Log out asp.net user if user does not exist or is inactive / disabled

Question

How would I go about adding to the code below in checking to see that the user exists in the database, and if the account does exist to check if it is inactive or disabled? If either of those are true .. then sign off and redirect the user to the login page.

I am running into an issue that if the aspx auth cookie is saved .. but the user account is deleted or set inactive .. the user can still login.

Protected Sub Page_Init(sender As Object, e As System.EventArgs) Handles Me.Init

    If User.Identity.IsAuthenticated Then
        Response.Redirect("~/homepage")
    End If

End Sub

Thanks for your help.

Answer 1

Your Question ::

I am running into an issue that if the aspx auth cookie is saved .. but the user 
account is deleted or set inactive .. the user can still login.

IsAuthenticated will return true for a user even after they've been removed. This happens because it only checks the authentication cookie, which is still on their system.

You need to remove the Authentication cookie inside your Signout function as below. SUppose for example you put a logout button. Add the below code in the Logout button click.

Protected Sub btnLogOutAction_Click(sender As Object, e As EventArgs)
    FormsAuthentication.Signout()
    ' check your own supplied cookie name. Default name is .ASPXAUTH
    If Request.Cookies(".ASPXAUTH") IsNot Nothing Then
        Dim myCookie As New HttpCookie(".ASPXAUTH")
        myCookie.Expires = DateTime.Now.AddDays(-1.0)
        myCookie.Domain = "test.com"
        Response.Cookies.Add(myCookie)
    End If
End Sub

2.) Question::

to see that the user exists in the database, and if the account does exist to 
check if it is inactive or disabled

This question can have many possible cases. Lets see 3 of them

CASE I:: if the user is loggedIn but not active for say few minutes, by default after 20 minutes, ASP.NET will clean up the users session, and when it does, it will fire a Session_End event that can be handled in Global.asax. You can then be able to mark this user as inactive in database, or execute any code you want to run as per the requirement.

Case II::

I use to set IsApproved to False to disable users.

Dim user As MembershipUser = Membership.GetUser("Yourusername")
If user IsNot Nothing Then
    user.IsApproved = False
    Membership.UpdateUser(user)
End If

Now you can check this as:

Dim check As New SqlCommand("SELECT Count(*) FROM [Users] WHERE Username='" & username & "'", Connect)

Dim exist As Integer = CInt(check.ExecuteScalar())
'  greater than zero means user exists in database
   If exist > 0 Then
    ' Now check if user is disabled OR not approved
       Dim user As MembershipUser = Membership.GetUser("Yourusername")
       If user IsNot Nothing Then
           If user.IsApproved = False Then
                     FormsAuthentication.RedirectToLoginPage()
           End If
        End If
   End If

CASE III: Using ProfileManager class

Use below sample code as a reference. We can check if user is inactive since a date using the ProfileManager class methods. Read MSDN

Dim check As New SqlCommand("SELECT Count(*) FROM [Users] WHERE Username='" & username & "'", Connect)

Dim exist As Integer = CInt(check.ExecuteScalar())
'  greater than zero means user exists in database
   If exist > 0 Then
    ' Now check if user is marked inactive
 ProfileInfoCollection profiles;
 profiles =  ProfileManager.FindInactiveProfilesByUserName   
 (ProfileAuthenticationOption.Authenticated,UserName, userInactiveSinceDate)
         If profiles("UserName") IsNot Nothing Then
           FormsAuthentication.RedirectToLoginPage()
         Else
            ' Code to run if user exists in database and is also active 
         End If

   End If

Answer 2

Try this

 If User.Identity.IsAuthenticated Then
     MembershipUser currentuser = Membership.GetUser()
     If currentuser IsNot Nothing And currentuser.IsApproved = True Then

        Response.Redirect("~/homepage")
     End If
 End If