asp.net会员IsApproved虚假的，但仍允许登录 [英] asp.net membership IsApproved false but still allowing login

问题描述

我有更改默认的帐户会员提供商IsApproved设置为false。

 公共MembershipCreateStatus CREATEUSER（用户名字符串，字符串密码，串电子邮件）
    {
        MembershipCreateStatus状态;
        _provider.CreateUser（用户名，密码，电子邮件，空，空，假，空，出状态）;
        返回状态;
    }
 

但我再回到登录页面，它可以让我登录。难道不应该失败的登录和说，我没有批准??

编辑：

 的[AcceptVerbs（HttpVerbs.Post）
    公众的ActionResult注册（用户名字符串，字符串email，字符串密码，串confirmPassword，字符串的地址，字符串地址2，字符串市，字符串州，串HOMEPHONE，手机串，串公司）
    {        计算机[PasswordLength] = MembershipService.MinPasswordLength;        如果（ValidateRegistration（用户名，电子邮件，密码，confirmPassword））
        {            //试图注册用户
            MembershipCreateStatus createStatus = MembershipService.CreateUser（用户名，密码，电子邮件）;            如果（createStatus == MembershipCreateStatus.Success）
            {
                FormsAuth.SignIn（用户名，假的/ * * createPersistentCookie /）;                TempData的[形] =的Request.Form;
                TempData的[isActive] = FALSE;
                返回RedirectToAction（创建，用户）;
            }
            其他
            {
                ModelState.AddModelError（_表，错误codeToString（createStatus））;
            }
        }        //如果我们走到这一步，事情失败了，重新显示形式
        返回查看（）;
    }
 

解决方案

（它看起来像这个问题的另一个副本将被关闭，所以我在这里复制我的答案）

<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.htt$p$pquest.isauthenticated%28loband%29.aspx\">Htt$p$pquest.IsAuthenticated如果HttpContext.User.Identity不为空，它的IsAuthenticated属性返回true返回true。

目前的身份是在<一个集href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationmodule%28loband%29.aspx\">FormsAuthenticationModule,但它无关，与你的MembershipProvider。事实上，它甚至不引用它。它所做的是检查是否身份验证cookie仍设置并且仍然有效（因为是，没有过期）。

我认为问题是，你正在调用的<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication%28loband%29.aspx\">FormsAuthentication方法，如 RedirectFromLoginPage ，这是设置身份验证cookie。如果你需要等待，直到用户获得批准，那么你需要确保你没有设置cookie。

更新

有没有MembershipCreateStatus指定用户已经创建，但未获批准，所以你的code呼吁 FormsAuth.SignIn 而不实际检查，如果用户已经获得批准。

FormsAuth.SignIn 只设置cookie，仅此而已。它不验证用户或其他任何关系到你的MembershipProvider。如果批准是异步的（即等待一个人），则不会自动调用FormsAuth.SignIn登录的用户。

i have change the default Account Membership provider to set IsApproved to false.

    public MembershipCreateStatus CreateUser(string userName, string password, string email)
    {
        MembershipCreateStatus status;
        _provider.CreateUser(userName, password, email, null, null, false, null, out status);
        return status;
    }

But i then go back to the login page and it allows me to login. Shouldn't it fail login and say that i am not approved ??

EDIT:

    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Register(string userName, string email, string password, string confirmPassword, string address, string address2, string city, string state, string homePhone, string cellPhone, string company)
    {

        ViewData["PasswordLength"] = MembershipService.MinPasswordLength;

        if (ValidateRegistration(userName, email, password, confirmPassword))
        {

            // Attempt to register the user
            MembershipCreateStatus createStatus = MembershipService.CreateUser(userName, password, email);

            if (createStatus == MembershipCreateStatus.Success)
            {
                FormsAuth.SignIn(userName, false /* createPersistentCookie */);

                TempData["form"] = Request.Form;
                TempData["isActive"] = false;
                return RedirectToAction("Create", "Users");
            }
            else
            {
                ModelState.AddModelError("_FORM", ErrorCodeToString(createStatus));
            }
        }

        // If we got this far, something failed, redisplay form
        return View();
    }

解决方案

(it looks like the other copy of this question is going to be closed, so I've copied my answer here)

HttpRequest.IsAuthenticated returns true if HttpContext.User.Identity is not null and it's IsAuthenticated property returns true.

The current identity is set in the FormsAuthenticationModule, but it has nothing to do with your MembershipProvider. In fact, it doesn't even reference it. All it does is check to see if the authentication cookie is still set and is still valid (as is, has not expired).

I think the problem is that you are calling one of the FormsAuthentication methods like RedirectFromLoginPage, which is settings the authentication cookie. If you need to wait until the user is approved, then you need to make sure you are not setting the cookie.

Update

There are no values of MembershipCreateStatus that specify that the user has been created but not approved, so your code is calling FormsAuth.SignIn without actually checking if the user has been approved.

FormsAuth.SignIn just sets the cookie, that's it. It doesn't validate the user or otherwise have any relation to your MembershipProvider. If approval is asynchronous (ie. waiting for a human), then don't automatically log the user in by calling FormsAuth.SignIn.

这篇关于asp.net会员IsApproved虚假的，但仍允许登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！