E
Erik Cassel
We use Forms authentication on our website with the "remember me" feature.
When somebody comes back to the site, they are automagically logged on.
We also use the MembershipProvider framework.
Here is the issue: When somebody is banned
(MembershipUser.IsApproved=false) we don't want pre-existing authentication
cookies to work when the banned user returns to the website.
We use a custom MembershipProvider. Therefore, manual login can be prevented
by checking the IsApproved property of the MembershipUser during
MembershipProvider.ValidateUser.
However, if there is a cookie then ValidateUser isn't called, so I can’t
prevent the login.
My workaround is to check IsApproved in Application_AuthenticateRequest. If
it fails, I log the user our and then throw an exception. This workaround
feels forced and not secure since the user had been momentarily authenticated.
Is there a solution that isn’t a hack?
When somebody comes back to the site, they are automagically logged on.
We also use the MembershipProvider framework.
Here is the issue: When somebody is banned
(MembershipUser.IsApproved=false) we don't want pre-existing authentication
cookies to work when the banned user returns to the website.
We use a custom MembershipProvider. Therefore, manual login can be prevented
by checking the IsApproved property of the MembershipUser during
MembershipProvider.ValidateUser.
However, if there is a cookie then ValidateUser isn't called, so I can’t
prevent the login.
My workaround is to check IsApproved in Application_AuthenticateRequest. If
it fails, I log the user our and then throw an exception. This workaround
feels forced and not secure since the user had been momentarily authenticated.
Is there a solution that isn’t a hack?