Re: Membership custom provider - logout function

Thanks for your answer.

I do understand, as you mentioned, that the provider is an abstraction layer
over a back end data store.

The data store, however, has to be updated for both login and logout.
When "ValidateUser" is being called, I validate the credentials against the
data store and if successful, the data store generates a "sessionID" which
is used afterwards for authorization operations.

When logging out, I need my custom provider to work against the data store
to invalidate the sessionID.

My problem is, that no function of the provider is being called when logging
out, so I have no way of updating my data store and invalidating my
sessionID.

I don't want the application level to access the data store, because then I
have no abstraction...only the provider has to know about the data store.

I hope I have cleared my issue..
Please advice
Many thanks
Amitai


"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631764f18c7d53a342a3a80@xxxxxxxxxxxxxxxxxxxxx
> hi,
> ValidateUser is not a login operation - it validates credentials - and
> retrurns a boolean according to the outcome of the validation. The
> membership provider is only an abstraction over a back end data store.
>
> The login control sets the authentication ticket by calling
> FormsAuthentication.SetAuthCookie.
>
> To clear the authentication ticket call FormsAuthentication.SignOut.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I am writing a custom Membership provider for ASP.NET
>> I have derived from the Membership provider and have supplied my own
>> method
>> that work against my security server.
>> For login operation, for instance, I implemented the
>> "ValidateUser(name,
>> password)" function.
>> I can not, however, find any function that maches the "logout"
>> operation.
>> As you may guess, it is a must to implement this function, but - no
>> trace
>> for it in the membership provider class.
>> Please advice
>> Many thanks
>> Amitai
>
>


.

Relevant Pages

  • Re: Membership custom provider - logout function
    ... The custom membership provider should work against this security server. ... the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called an "authentication ticket" - this tickets get "attached" to the current request/response using either a cookie or query string mangling. ... You can configure the behaviour, lifetime, name etc. of that ticket using the config element. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Membership custom provider - logout function
    ... The custom membership provider should work against this security server. ... > the data store does not generate a sessionID - the data store says yes/no ... > You can configure the behaviour, lifetime, name etc. of that ticket using ... >> store to invalidate the sessionID. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Membership custom provider - logout function
    ... Dominick Baier - DevelopMentor ... The custom membership provider should work against this security server. ... the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called an "authentication ticket" - this tickets get "attached" to the current request/response using either a cookie or query string mangling. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Membership custom provider - logout function
    ... the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called ... Your membership provider is never called again after authentication - the FormsAuthentication infrastructure validates the ticket and sets Context.User now on each request. ... SignOutclears this ticket - and on the next request the Authorization module emits a 401 which in turn makes FormsAuthentication to emit a 302 to the login page. ...
    (microsoft.public.dotnet.framework.aspnet.security)