.net - Authorize attribute authorizes on null -
i manually manage users , logins. use modelbinder pass logged in users controllers parameters. controllers , methods use authorize
attribute restrict access, authorizes null
instead of account
objects.
this happens examples when account removed, user still logged in. modelbinder:
public object bindmodel(controllercontext controllercontext, modelbindingcontext bindingcontext) { httpcookie authcookie = controllercontext.httpcontext.request.cookies[formsauthentication.formscookiename]; if (authcookie != null) { var authticket = formsauthentication.decrypt(authcookie.value); int userid = int.parse(authticket.userdata.split(',')[0]); var userrepository = dependencyresolver.current.getservice(typeof(iuserrepository)) iuserrepository; return userrepository.findbyid(userid) account; } return null; }
the repository returns null because account doesn't exist anymore, it's still authorized. login:
private void loginuser(account account, bool remeberme) { string role = objectcontext.getobjecttype(account.gettype()).name; string userdata = account.userid + "," + role; //clear other tickets in response response.cookies.clear(); datetime expirydate = datetime.now.adddays(30); //create fat var authenticationticket = new formsauthenticationticket(1, account.firstname, datetime.now, expirydate, remeberme, userdata, string.empty); //create cookie var cookie = new httpcookie(formsauthentication.formscookiename, formsauthentication.encrypt(authenticationticket)); if (remeberme) { cookie.expires = expirydate; } //finish response.cookies.add(cookie); httpcontext.user = new genericprincipal(new genericidentity(account.fullname), new[] { role }); }
i think it's still authorized because httpcontext.user still set. what's best way reset httpcontext.user , delete cookies of removed users?
if using role based authentication graceful way of handling revoke roles of user. still logged in, unable access privileged information.
otherwise, have create deleted flag , create sort of action filter, custom authorize attribute, or method of checking each request , logging them out manually if check fails.
if using new asp.net identity (it appears if not , using custom forms auth), can regenerate security stamp since uses determine if credentials of user have changed on each request.
Comments
Post a Comment