以编程方式注销ASP.NET用户 [英] Programmatically logout an ASP.NET user

问题描述

我的应用允许管理员暂停/取消暂停用户帐户.我使用以下代码执行此操作:

My app allows an admin to suspend/unsuspend user accounts. I do this with the following code:

MembershipUser user = Membership.GetUser(Guid.Parse(userId));
user.IsApproved = false;
Membership.UpdateUser(user);

上面的方法可以很好地挂起用户，但不会撤消他们的会话.因此，只要保留了他们的会话cookie，被暂停的用户就可以继续访问该应用程序.任何修复/

The above works fine to suspend the user, but it does not revoke their session. Consequently, the suspended user can remain with access to the application as long as their session cookie remains. Any fix/

推荐答案

无法从会话的外部"放弃会话.您必须在每次页面加载时检查数据库，如果该帐户已被禁用，则需要注销.您也可以使用HttpModule来实现这一点，这会使事情变得更整洁.

There's no way to abandon a session from 'outside' the session. You would have to check the database on each page load, and if the account has been disabled, then signout. You could achieve this using a HttpModule too, which would make things a bit cleaner.

例如:

public class UserCheckModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }

    public void Dispose() {}

    private void OnPreRequestHandlerExecute(object sender, EventArgs e)
    {
        // Get the user (though the method below is probably incorrect)
        // The basic idea is to get the user record using a user key
        // stored in the session (such as the user id).
        MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));

        // Ensure user is valid
        if (!user.IsApproved)
        {
            HttpContext.Current.Session.Abandon();
            FormsAuthentication.SignOut();
            HttpContext.Current.Response.Redirect("~/Login.aspx?AccountDisabled");
        }
    }
}

这不是一个完整的示例，使用会话中存储的密钥检索用户的方法将需要调整，但这应该可以帮助您入门.它将在每次页面加载时进行额外的数据库检查，以检查用户帐户是否仍处于活动状态，但是没有其他方法可以检查此信息.

This isn't a complete example, and the method of retrieving the user using a key stored in the session will need to be adapted, but this should get you started. It will involve an extra database check on each page load to check that the user account is still active, but there's no other way of checking this information.

这篇关于以编程方式注销ASP.NET用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！