How to prevent user from authenticating

Discussion in 'ASP .Net Security' started by salickc@gmail.com, Sep 9, 2005.

  1. Guest

    Hello,

    I'm using Forms Authentication.
    When the user logins for the first time, i create a persistent cookie,
    so the user will login automatically every time he browse the site.

    But suppose after I a week, i deleted the user from my DB.
    He still has the cookie on his computer, and will connect automatically
    when he browse.

    How can I prevent this situation, but still use persistent cookies?
    Can i re-validate users with authentication cookies also?
    , Sep 9, 2005
    #1
    1. Advertising

  2. Hello ,

    well - you basically give the user the key to you application :) you could
    at least limit the lifetime of the persistent cookie to something like 30
    days e.g.

    there are other solution that come to my mind, like keeping a list of deleted
    users but thats hacky,too. Or you could keep the user in the db and mark
    him as locked out.

    persistent cookie are evil, simply put.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > I'm using Forms Authentication.
    > When the user logins for the first time, i create a persistent cookie,
    > so the user will login automatically every time he browse the site.
    > But suppose after I a week, i deleted the user from my DB.
    > He still has the cookie on his computer, and will connect
    > automatically
    > when he browse.
    > How can I prevent this situation, but still use persistent cookies?
    > Can i re-validate users with authentication cookies also?
    >
    Dominick Baier [DevelopMentor], Sep 9, 2005
    #2
    1. Advertising

  3. Guest

    marking users as locked out, means that i need to check the username on
    every page which requires authenticaton. grrr
    well, i guess that's an idea

    any other ideas?
    , Sep 9, 2005
    #3
  4. Hello ,

    write a HttpModule that handles AuthenticateRequest and check there.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > marking users as locked out, means that i need to check the username
    > on
    > every page which requires authenticaton. grrr
    > well, i guess that's an idea
    > any other ideas?
    >
    Dominick Baier [DevelopMentor], Sep 9, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mrwoopey
    Replies:
    3
    Views:
    9,542
    mrwoopey
    Jun 30, 2003
  2. H
    Replies:
    2
    Views:
    338
  3. Replies:
    4
    Views:
    743
  4. Jr. BTS dev!
    Replies:
    2
    Views:
    1,623
    =?Utf-8?B?Q2hhc2U=?=
    Jan 27, 2006
  5. bugnthecode
    Replies:
    5
    Views:
    3,965
    Brandon McCombs
    Feb 8, 2007
Loading...

Share This Page