2

Consider that the user has a valid auth cookie, but their account has been deleted (from a different location)

WebSecurity.IsAuthenticated

returns true.

WebSecurity.CurrentUserName

returns the user's username, despite their account being deleted. Presumably, this info is encrypted in the auth cookie.

As it turns out, IsAuthenticated gets its answer from the current HttpContext's request:

this._context.User.Identity.IsAuthenticated

So, to mitigate:

 var userName = WebSecurity.CurrentUserName;
 using (var userDb = new UsersContext())
 {
     var usr = userDb.UserProfiles.SingleOrDefault(u => u.UserName == userName);
     if(usr == null)
     {
         WebSecurity.Logout();
     }
 }

but, even after this:

 WebSecurity.IsAuthenticated == true
 WebSecurity.CurrentUserName == "myDeletedUser'sName"

This isn't very useful.

How do I clear out this info and get WebSecurity to re-assess the user's authentication state? Do I really have to redirect them back to my site just to reset this state? Supposing they POSTed? That's a PITA.

spender
  • 117,338
  • 33
  • 229
  • 351
  • What do you mean by "after this"? Do you mean in the same method? The user will still be authenticated until the next page refresh, because the IPrincipal is cookie based, and is set when a page loads. Logout just clears the cookie. – Erik Funkenbusch Jun 27 '13 at 15:45
  • Yes, indeed. After inspecting the source, I came to much the same conclusion. Logout only completes after the request has completed. – spender Jun 27 '13 at 15:58
  • May I know how do you solve this issue? Because I am thinking of force redirect them to a logout page. – Rosdi Kasim Apr 30 '14 at 04:55

0 Answers0