Invalidating ASP.NET FormsAuthentication server side
Posted
by Rob Walker
on Stack Overflow
See other posts from Stack Overflow
or by Rob Walker
Published on 2010-05-23T20:32:33Z
Indexed on
2010/05/23
20:41 UTC
Read the original article
Hit count: 458
ASP.NET
|forms-authentication
I am experimenting with FormsAuthentication (using ASP.NET MVC2) and it is working fairly well.
However, one case I can't work out how to deal with is validating the user identity on the server to ensure it is still valid from the server's perspective.
eg.
- User logs in ... gets a cookie/ticket
- Out of band the user is deleted on the server side
- User makes a new request to the server. HttpContext.User.Identity.Name is set to the deleted user.
I can detect this fine, but what is the correct way to handle it? Calling FormsAuthentication.SignOut
in the OnAuthorization
on OnActionExecuting
events is too late to affect the current request.
Alternatively I would like to be able to calls FormsAuthentication.InvalidateUser(...) when the user is deleted (or database recreated) to invalidate all tickets for a given (or all) users. But I can't find an API to do this.
© Stack Overflow or respective owner