.net - Authorize attribute authorizes on null -


i manually manage users , logins. use modelbinder pass logged in users controllers parameters. controllers , methods use authorize attribute restrict access, authorizes null instead of account objects.

this happens examples when account removed, user still logged in. modelbinder:

public object bindmodel(controllercontext controllercontext, modelbindingcontext bindingcontext) {             httpcookie authcookie = controllercontext.httpcontext.request.cookies[formsauthentication.formscookiename];             if (authcookie != null)             {                 var authticket = formsauthentication.decrypt(authcookie.value);                 int userid = int.parse(authticket.userdata.split(',')[0]);                 var userrepository = dependencyresolver.current.getservice(typeof(iuserrepository)) iuserrepository;                 return userrepository.findbyid(userid) account;             }             return null; } 

the repository returns null because account doesn't exist anymore, it's still authorized. login:

 private void loginuser(account account, bool remeberme)         {             string role = objectcontext.getobjecttype(account.gettype()).name;             string userdata = account.userid + "," + role;              //clear other tickets in response             response.cookies.clear();             datetime expirydate = datetime.now.adddays(30);              //create fat             var authenticationticket = new formsauthenticationticket(1, account.firstname, datetime.now,                 expirydate, remeberme, userdata, string.empty);              //create cookie             var cookie = new httpcookie(formsauthentication.formscookiename,                 formsauthentication.encrypt(authenticationticket));             if (remeberme)             {                 cookie.expires = expirydate;             }              //finish             response.cookies.add(cookie);             httpcontext.user = new genericprincipal(new genericidentity(account.fullname),                 new[] { role });         } 

i think it's still authorized because httpcontext.user still set. what's best way reset httpcontext.user , delete cookies of removed users?

if using role based authentication graceful way of handling revoke roles of user. still logged in, unable access privileged information.

otherwise, have create deleted flag , create sort of action filter, custom authorize attribute, or method of checking each request , logging them out manually if check fails.

if using new asp.net identity (it appears if not , using custom forms auth), can regenerate security stamp since uses determine if credentials of user have changed on each request.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

firemonkey - How do I make a beep sound in Android using Delphi and the API? -