以编程方式注销 ASP.NET 用户 [英] Programmatically logout an ASP.NET user

问题描述

我的应用允许管理员暂停/取消暂停用户帐户.我使用以下代码执行此操作:

My app allows an admin to suspend/unsuspend user accounts. I do this with the following code:

MembershipUser user = Membership.GetUser(Guid.Parse(userId));
user.IsApproved = false;
Membership.UpdateUser(user);

以上可以很好地暂停用户，但不会撤销他们的会话.因此，只要他们的会话 cookie 仍然存在，被暂停的用户就可以继续访问应用程序.任何修复/

The above works fine to suspend the user, but it does not revoke their session. Consequently, the suspended user can remain with access to the application as long as their session cookie remains. Any fix/

推荐答案

没有办法从会话外部"放弃会话.您必须在每次加载页面时检查数据库，如果帐户已被禁用，则注销.您也可以使用 HttpModule 来实现这一点，这会让事情变得更简洁.

There's no way to abandon a session from 'outside' the session. You would have to check the database on each page load, and if the account has been disabled, then signout. You could achieve this using a HttpModule too, which would make things a bit cleaner.

例如:

public class UserCheckModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }

    public void Dispose() {}

    private void OnPreRequestHandlerExecute(object sender, EventArgs e)
    {
        // Get the user (though the method below is probably incorrect)
        // The basic idea is to get the user record using a user key
        // stored in the session (such as the user id).
        MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));

        // Ensure user is valid
        if (!user.IsApproved)
        {
            HttpContext.Current.Session.Abandon();
            FormsAuthentication.SignOut();
            HttpContext.Current.Response.Redirect("~/Login.aspx?AccountDisabled");
        }
    }
}

这不是一个完整的示例，需要调整使用存储在会话中的密钥检索用户的方法，但这应该可以帮助您入门.这将涉及对每个页面加载进行额外的数据库检查，以检查用户帐户是否仍处于活动状态，但没有其他方法可以检查此信息.

This isn't a complete example, and the method of retrieving the user using a key stored in the session will need to be adapted, but this should get you started. It will involve an extra database check on each page load to check that the user account is still active, but there's no other way of checking this information.

这篇关于以编程方式注销 ASP.NET 用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！