Re: Membership custom provider - logout function

It's a pitty the membership provider doesn't save state (login status)...
Thanks a lot for your generous help
Amitai

"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631777e98c7d5dcd4dc428b@xxxxxxxxxxxxxxxxxxxxx
> Hi,
> the you have to build something customized - the standard provider API
> does not provide that functionality.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I fully understand your reply.
>> Our product is a family of applications which all use a centralized
>> security
>> server.
>> The security server keeps track of all connected sessions.
>> The administrator has a console from which he/she can force disconnect
>> an
>> active session (if and when needed).
>> Upon logout, the session is invalidates and removes.
>> The custom membership provider should work against this security
>> server.
>> This is why I need a notification on logout...
>> Please advice one more time..
>> Thanks
>> Amitai
>> "Dominick Baier [DevelopMentor]"
>> <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:4580be631774bd8c7d5d6a62e8b97@xxxxxxxxxxxxxxxxxxxxx
>>
>>> Hi,
>>> the data store does not generate a sessionID - the data store says
>>> yes/no
>>> to the credentials - and afterwards the login control creates
>>> something
>>> called an "authentication ticket" - this tickets get "attached" to
>>> the
>>> current request/response using either a cookie or query string
>>> mangling.
>>> You can configure the behaviour, lifetime, name etc. of that ticket
>>> using
>>> the <forms> config element.
>>> Your membership provider is never called again after authentication -
>>> the
>>> FormsAuthentication infrastructure validates the ticket and sets
>>> Context.User now on each request. Authorization is done on the value
>>> set
>>> for Context.User.
>>> SignOut() clears this ticket (either cookie or querystring again) -
>>> and on the next request the Authorization module emits a 401 which in
>>> turn makes FormsAuthentication to emit a 302 to the login page.
>>>
>>> The provider and FormsAuthentication are really two distinct things.
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Thanks for your answer.
>>>>
>>>> I do understand, as you mentioned, that the provider is an
>>>> abstraction layer over a back end data store.
>>>>
>>>> The data store, however, has to be updated for both login and
>>>> logout.
>>>> When "ValidateUser" is being called, I validate the credentials
>>>> against the
>>>> data store and if successful, the data store generates a "sessionID"
>>>> which
>>>> is used afterwards for authorization operations.
>>>> When logging out, I need my custom provider to work against the data
>>>> store to invalidate the sessionID.
>>>> My problem is, that no function of the provider is being called when
>>>> logging out, so I have no way of updating my data store and
>>>> invalidating my sessionID.
>>>>
>>>> I don't want the application level to access the data store, because
>>>> then I have no abstraction...only the provider has to know about the
>>>> data store.
>>>>
>>>> I hope I have cleared my issue..
>>>> Please advice
>>>> Many thanks
>>>> Amitai
>>>> "Dominick Baier [DevelopMentor]"
>>>> <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:4580be631764f18c7d53a342a3a80@xxxxxxxxxxxxxxxxxxxxx
>>>>> hi,
>>>>> ValidateUser is not a login operation - it validates credentials -
>>>>> and
>>>>> retrurns a boolean according to the outcome of the validation. The
>>>>> membership provider is only an abstraction over a back end data
>>>>> store.
>>>>> The login control sets the authentication ticket by calling
>>>>> FormsAuthentication.SetAuthCookie.
>>>>> To clear the authentication ticket call
>>>>> FormsAuthentication.SignOut.
>>>>>
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> I am writing a custom Membership provider for ASP.NET
>>>>>> I have derived from the Membership provider and have supplied my
>>>>>> own
>>>>>> method
>>>>>> that work against my security server.
>>>>>> For login operation, for instance, I implemented the
>>>>>> "ValidateUser(name,
>>>>>> password)" function.
>>>>>> I can not, however, find any function that maches the "logout"
>>>>>> operation.
>>>>>> As you may guess, it is a must to implement this function, but -
>>>>>> no
>>>>>> trace
>>>>>> for it in the membership provider class.
>>>>>> Please advice
>>>>>> Many thanks
>>>>>> Amitai
>
>


.

Relevant Pages

  • Re: Login page for windows integrated
    ... I have an asp.net 2.0 website running with Windows integrated security ... instead of the standard windows login prompt. ... I have found a Membership provider for Active Directory users so it ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: redirect user to login after page has expired asp.net 2.0
    ... You do not have to specify the login information in the web.config at all. ... If you are using the Membership Provider, ...
    (microsoft.public.dotnet.languages.csharp)
  • Asp.net Membership Lock Out
    ... I am using the standard asp.net membership provider. ... They attempt to login 5 times and they get ... Do I have to manually unlock these ...
    (microsoft.public.dotnet.framework.aspnet)
  • How to implement a automatic login function
    ... now I am using a asp.net login control and a customized ... membership provider to do the form authentication. ...
    (microsoft.public.dotnet.framework.aspnet)