Invalidating ASP.NET FormsAuthentication server side

Posted by Rob Walker on Stack Overflow See other posts from Stack Overflow or by Rob Walker
Published on 2010-05-23T20:32:33Z Indexed on 2010/05/23 20:41 UTC
Read the original article Hit count: 458

I am experimenting with FormsAuthentication (using ASP.NET MVC2) and it is working fairly well.

However, one case I can't work out how to deal with is validating the user identity on the server to ensure it is still valid from the server's perspective.

eg.

  1. User logs in ... gets a cookie/ticket
  2. Out of band the user is deleted on the server side
  3. User makes a new request to the server. HttpContext.User.Identity.Name is set to the deleted user.

I can detect this fine, but what is the correct way to handle it? Calling FormsAuthentication.SignOut in the OnAuthorization on OnActionExecuting events is too late to affect the current request.

Alternatively I would like to be able to calls FormsAuthentication.InvalidateUser(...) when the user is deleted (or database recreated) to invalidate all tickets for a given (or all) users. But I can't find an API to do this.

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about forms-authentication