1

ASP .NET MVC3 application uses login controller from MVC3 application template below. Controllers are decorated by [Authorize] attribute:

[Authorize]
public class CheckoutController : ControllerBase

User enters user name and password and click "remember me" checkbox. Authorization cookie is stored in browser and credentials are no more asked on subsequent accesses.

User can disabled by setting disabled fields in accounts database. If such user tries to log on membership provider returns error and login fails.

However if user is already logged in, membership provider is not called. Disabled user can continue to use application. How to fix this so that disabled user cannot use application ?

LogOn controller is basically from Visual Studio MVC3 sample application template:

    [HttpPost]
    public ActionResult LogOn(LogOnModel model, string returnUrl)
    {
        if (string.IsNullOrWhiteSpace(model.UserName) || string.IsNullOrWhiteSpace(model.Password))
        {
            ModelState.AddModelError("", "User or password not filled");
            return View(model);
        }
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (!String.IsNullOrEmpty(returnUrl))
                return Redirect(returnUrl);
            return RedirectToAction("Index", "Home");
        }
        else
        {
            ModelState.AddModelError("", "Logon error");
        }
        return View(model);
    }
Andrus
  • 26,339
  • 60
  • 204
  • 378
  • In your home controller, where you verify the existence of the cookie, you could call the service and verify the user's status. If not disabled, return view else remove cookie and show login page – adiga Jul 23 '15 at 06:56
  • User can open any page without accessing home page. `[Authorize]` attribute verifies it automatically, I dont have any code. Controllers are derived form single base class in application, maybe it is possible to add this to those or create some custom check. – Andrus Jul 23 '15 at 07:53
  • Is the tool or code that disables the account within the same application? In the past what I have done is set an application-level variable and then check for that on each request. However, that only works if the disabling is being done within the same app. – stephen.vakil Jul 23 '15 at 19:58
  • Yes, this is single application. How to add your code to custom `[DisabledUserCheckingAuthorize]` attribute or controller and WebAPI controller base classes ? – Andrus Jul 24 '15 at 08:24

0 Answers0