MembershipUser.IsApproved and remembered logins

Discussion in 'ASP .Net Security' started by Erik Cassel, Nov 13, 2006.

  1. Erik Cassel

    Erik Cassel Guest

    We use Forms authentication on our website with the "remember me" feature.
    When somebody comes back to the site, they are automagically logged on.

    We also use the MembershipProvider framework.

    Here is the issue: When somebody is banned
    (MembershipUser.IsApproved=false) we don't want pre-existing authentication
    cookies to work when the banned user returns to the website.

    We use a custom MembershipProvider. Therefore, manual login can be prevented
    by checking the IsApproved property of the MembershipUser during
    MembershipProvider.ValidateUser.

    However, if there is a cookie then ValidateUser isn't called, so I can’t
    prevent the login.

    My workaround is to check IsApproved in Application_AuthenticateRequest. If
    it fails, I log the user our and then throw an exception. This workaround
    feels forced and not secure since the user had been momentarily authenticated.

    Is there a solution that isn’t a hack?
     
    Erik Cassel, Nov 13, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    744
  2. Titus A Ducksass
    Replies:
    3
    Views:
    503
    brucie
    Dec 25, 2003
  3. Jeff
    Replies:
    3
    Views:
    5,889
    Robert.NET
    Dec 14, 2008
  4. Tamer Ibrahim

    MembershipUser.IsApproved property

    Tamer Ibrahim, Aug 28, 2007, in forum: ASP .Net Security
    Replies:
    2
    Views:
    184
    Andreas Kraus
    Aug 31, 2007
  5. CSharpner
    Replies:
    1
    Views:
    877
Loading...

Share This Page