Re: Membership custom provider - logout function
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 03:50:56 -0800
Hi,
the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called an "authentication ticket" - this tickets get "attached" to the current request/response using either a cookie or query string mangling.
You can configure the behaviour, lifetime, name etc. of that ticket using the <forms> config element.
Your membership provider is never called again after authentication - the FormsAuthentication infrastructure validates the ticket and sets Context.User now on each request. Authorization is done on the value set for Context.User.
SignOut() clears this ticket (either cookie or querystring again) - and on the next request the Authorization module emits a 401 which in turn makes FormsAuthentication to emit a 302 to the login page.
The provider and FormsAuthentication are really two distinct things.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
Thanks for your answer.
I do understand, as you mentioned, that the provider is an abstraction layer over a back end data store.
The data store, however, has to be updated for both login and logout. When "ValidateUser" is being called, I validate the credentials against the data store and if successful, the data store generates a "sessionID" which is used afterwards for authorization operations. When logging out, I need my custom provider to work against the data store to invalidate the sessionID.
My problem is, that no function of the provider is being called when logging out, so I have no way of updating my data store and invalidating my sessionID.
I don't want the application level to access the data store, because then I have no abstraction...only the provider has to know about the data store.
I hope I have cleared my issue.. Please advice Many thanks Amitai "Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:4580be631764f18c7d53a342a3a80@xxxxxxxxxxxxxxxxxxxxx
hi, ValidateUser is not a login operation - it validates credentials - and retrurns a boolean according to the outcome of the validation. The membership provider is only an abstraction over a back end data store. The login control sets the authentication ticket by calling FormsAuthentication.SetAuthCookie.
To clear the authentication ticket call FormsAuthentication.SignOut.
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.comI am writing a custom Membership provider for ASP.NET I have derived from the Membership provider and have supplied my own method that work against my security server. For login operation, for instance, I implemented the "ValidateUser(name, password)" function. I can not, however, find any function that maches the "logout" operation. As you may guess, it is a must to implement this function, but - no trace for it in the membership provider class. Please advice Many thanks Amitai
.
- Follow-Ups:
- Re: Membership custom provider - logout function
- From: Amitai Palmon
- Re: Membership custom provider - logout function
- References:
- Re: Membership custom provider - logout function
- From: Amitai Palmon
- Re: Membership custom provider - logout function
- Prev by Date: Re: Membership custom provider - logout function
- Next by Date: Re: Membership custom provider - logout function
- Previous by thread: Re: Membership custom provider - logout function
- Next by thread: Re: Membership custom provider - logout function
- Index(es):
Relevant Pages
|
|
