Preventing the Deleted Users from logging to your site
while working with Forms Authentication and Membership services , if the user selects " remember me " check box in the login dialog ,the runtime will create a persistent authentication cookie for him, the persisted cookie is responsible to keep the user logged in for a specified period(even he closed his browser) ,and the default period is 30 minutes in .Net 2.0 or later , and you can change it to some value lets say 50 minutes as follows :
in web.config file :
<authentication mode="Forms">
<forms timeout="50"></forms>
</authentication>
Now the problem comes if the administrator deleted the user from the Membership users , the user still authenticated and can access your site !
to override this behavior , you need to check the user existence upon request , and redirect the user to login page if he is not exists ,
to accomplish this , you can use HttpModule that intercept the user request .
the following are the HttpModule :
Public Class checkUser
Implements IHttpModule
Public Sub Dispose() Implements System.Web.IHttpModule.Dispose
End Sub
Public Sub Init(ByVal context As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init
AddHandler context.AuthenticateRequest, AddressOf OnAuthenticateRequest
End Sub
Sub OnAuthenticateRequest(ByVal sener As Object, ByVal e As EventArgs)
Dim context As HttpContext = HttpContext.Current
Dim response As HttpResponse = HttpContext.Current.Response
If context.User.Identity.AuthenticationType = "Forms" AndAlso Membership.GetUser(context.User.Identity.Name) Is Nothing Then
FormsAuthentication.SignOut()
context.RewritePath("~/login.aspx")
End If
End Sub
End Class
and you need to register it in web.config file as follows:
<httpModules>
<add name="checkUserStatus" type="checkUser"/>
</httpModules>
Of course this solution will slow your website , because it will add one extra database call for every request ...
Regards,
Anas Ghanem