编程方式退出的ASP.NET用户 [英] Programatically logout an ASP.NET user

问题描述

我的应用程序允许管理员暂停/取消暂停用户帐户。我这样做有以下code：

My app allows an admin to suspend/unsuspend user accounts. I do this with the following code:

MembershipUser user = Membership.GetUser(Guid.Parse(userId));
user.IsApproved = false;
Membership.UpdateUser(user);

精细上述工程暂停的用户，但它并没有撤销其会话。因此，暂停用户可以只要自己的会话cookie仍然保持与访问应用程序。任何修复/

The above works fine to suspend the user, but it does not revoke their session. Consequently, the suspended user can remain with access to the application as long as their session cookie remains. Any fix/

推荐答案

有没有办法放弃，从外部会话的会话。你将不得不检查每个页面加载数据库中，如果该帐户已被禁用，则signout。你可以使用的HttpModule过，这将使事情有点清洁做到这一点。

There's no way to abandon a session from 'outside' the session. You would have to check the database on each page load, and if the account has been disabled, then signout. You could achieve this using a HttpModule too, which would make things a bit cleaner.

例如：

public class UserCheckModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }

    public void Dispose() {}

    private void OnPreRequestHandlerExecute(object sender, EventArgs e)
    {
        // Get the user (though the method below is probably incorrect)
        // The basic idea is to get the user record using a user key
        // stored in the session (such as the user id).
        MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));

        // Ensure user is valid
        if (!user.IsApproved)
        {
            HttpContext.Current.Session.Abandon();
            FormsAuthentication.SignOut();
            HttpContext.Current.Response.Redirect("~/Login.aspx?AccountDisabled");
        }
    }
}

这是不是一个完整的例子，使用检索存储在会话的关键将需要适应用户的方法，但这应该让你开始。这将涉及每个页面加载额外的数据库检查，以检查用户的帐户仍然有效，但有检查这些信息没有其他办法。

This isn't a complete example, and the method of retrieving the user using a key stored in the session will need to be adapted, but this should get you started. It will involve an extra database check on each page load to check that the user account is still active, but there's no other way of checking this information.

这篇关于编程方式退出的ASP.NET用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！