Hi,
the you have to build something customized - the standard provider
API
does not provide that functionality.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I fully understand your reply.
Our product is a family of applications which all use a centralized
security
server.
The security server keeps track of all connected sessions.
The administrator has a console from which he/she can force
disconnect
an
active session (if and when needed).
Upon logout, the session is invalidates and removes.
The custom membership provider should work against this security
server.
This is why I need a notification on logout...
Please advice one more time..
Thanks
Amitai
"Dominick Baier [DevelopMentor]"
Hi,
the data store does not generate a sessionID - the data store says
yes/no
to the credentials - and afterwards the login control creates
something
called an "authentication ticket" - this tickets get "attached" to
the
current request/response using either a cookie or query string
mangling.
You can configure the behaviour, lifetime, name etc. of that ticket
using
the <forms> config element.
Your membership provider is never called again after authentication
-
the
FormsAuthentication infrastructure validates the ticket and sets
Context.User now on each request. Authorization is done on the
value
set
for Context.User.
SignOut() clears this ticket (either cookie or querystring again) -
and on the next request the Authorization module emits a 401 which
in
turn makes FormsAuthentication to emit a 302 to the login page.
The provider and FormsAuthentication are really two distinct
things.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Thanks for your answer.
I do understand, as you mentioned, that the provider is an
abstraction layer over a back end data store.
The data store, however, has to be updated for both login and
logout.
When "ValidateUser" is being called, I validate the credentials
against the
data store and if successful, the data store generates a
"sessionID"
which
is used afterwards for authorization operations.
When logging out, I need my custom provider to work against the
data
store to invalidate the sessionID.
My problem is, that no function of the provider is being called
when
logging out, so I have no way of updating my data store and
invalidating my sessionID.
I don't want the application level to access the data store,
because then I have no abstraction...only the provider has to know
about the data store.
I hope I have cleared my issue..
Please advice
Many thanks
Amitai
"Dominick Baier [DevelopMentor]"
hi,
ValidateUser is not a login operation - it validates credentials
-
and
retrurns a boolean according to the outcome of the validation.
The
membership provider is only an abstraction over a back end data
store.
The login control sets the authentication ticket by calling
FormsAuthentication.SetAuthCookie.
To clear the authentication ticket call
FormsAuthentication.SignOut.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I am writing a custom Membership provider for ASP.NET
I have derived from the Membership provider and have supplied my
own
method
that work against my security server.
For login operation, for instance, I implemented the
"ValidateUser(name,
password)" function.
I can not, however, find any function that maches the "logout"
operation.
As you may guess, it is a must to implement this function, but -
no
trace
for it in the membership provider class.
Please advice
Many thanks
Amitai
