Re: Membership custom provider - logout function

I found the "IsOnline" property (rather than "IsOnlineTimeWindow").
I guess I will do without the "logout". Afterall, the logout won't help me
much if the user just closes the browser.
I will rely on the "keep alive" message that is sent to our proprietary
security server.
Thanks a lot (I don't know in which time zone you are located, but its been
a great help)


"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be63177d0b8c7d5fbfd3916d4@xxxxxxxxxxxxxxxxxxxxx
> hi,
> well - they provide something similar - which is of course not really
> usable in your scenario - have a look at "IsOnlineTimeWindow" in the
> <membership> element.
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> It's a pitty the membership provider doesn't save state (login
>> status)...
>> Thanks a lot for your generous help
>> Amitai
>> "Dominick Baier [DevelopMentor]"
>> <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:4580be631777e98c7d5dcd4dc428b@xxxxxxxxxxxxxxxxxxxxx
>>
>>> Hi,
>>> the you have to build something customized - the standard provider
>>> API
>>> does not provide that functionality.
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> I fully understand your reply.
>>>> Our product is a family of applications which all use a centralized
>>>> security
>>>> server.
>>>> The security server keeps track of all connected sessions.
>>>> The administrator has a console from which he/she can force
>>>> disconnect
>>>> an
>>>> active session (if and when needed).
>>>> Upon logout, the session is invalidates and removes.
>>>> The custom membership provider should work against this security
>>>> server.
>>>> This is why I need a notification on logout...
>>>> Please advice one more time..
>>>> Thanks
>>>> Amitai
>>>> "Dominick Baier [DevelopMentor]"
>>>> <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:4580be631774bd8c7d5d6a62e8b97@xxxxxxxxxxxxxxxxxxxxx
>>>>> Hi,
>>>>> the data store does not generate a sessionID - the data store says
>>>>> yes/no
>>>>> to the credentials - and afterwards the login control creates
>>>>> something
>>>>> called an "authentication ticket" - this tickets get "attached" to
>>>>> the
>>>>> current request/response using either a cookie or query string
>>>>> mangling.
>>>>> You can configure the behaviour, lifetime, name etc. of that ticket
>>>>> using
>>>>> the <forms> config element.
>>>>> Your membership provider is never called again after authentication
>>>>> -
>>>>> the
>>>>> FormsAuthentication infrastructure validates the ticket and sets
>>>>> Context.User now on each request. Authorization is done on the
>>>>> value
>>>>> set
>>>>> for Context.User.
>>>>> SignOut() clears this ticket (either cookie or querystring again) -
>>>>> and on the next request the Authorization module emits a 401 which
>>>>> in
>>>>> turn makes FormsAuthentication to emit a 302 to the login page.
>>>>> The provider and FormsAuthentication are really two distinct
>>>>> things.
>>>>>
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> Thanks for your answer.
>>>>>>
>>>>>> I do understand, as you mentioned, that the provider is an
>>>>>> abstraction layer over a back end data store.
>>>>>>
>>>>>> The data store, however, has to be updated for both login and
>>>>>> logout.
>>>>>> When "ValidateUser" is being called, I validate the credentials
>>>>>> against the
>>>>>> data store and if successful, the data store generates a
>>>>>> "sessionID"
>>>>>> which
>>>>>> is used afterwards for authorization operations.
>>>>>> When logging out, I need my custom provider to work against the
>>>>>> data
>>>>>> store to invalidate the sessionID.
>>>>>> My problem is, that no function of the provider is being called
>>>>>> when
>>>>>> logging out, so I have no way of updating my data store and
>>>>>> invalidating my sessionID.
>>>>>> I don't want the application level to access the data store,
>>>>>> because then I have no abstraction...only the provider has to know
>>>>>> about the data store.
>>>>>>
>>>>>> I hope I have cleared my issue..
>>>>>> Please advice
>>>>>> Many thanks
>>>>>> Amitai
>>>>>> "Dominick Baier [DevelopMentor]"
>>>>>> <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>> news:4580be631764f18c7d53a342a3a80@xxxxxxxxxxxxxxxxxxxxx
>>>>>>> hi,
>>>>>>> ValidateUser is not a login operation - it validates credentials
>>>>>>> -
>>>>>>> and
>>>>>>> retrurns a boolean according to the outcome of the validation.
>>>>>>> The
>>>>>>> membership provider is only an abstraction over a back end data
>>>>>>> store.
>>>>>>> The login control sets the authentication ticket by calling
>>>>>>> FormsAuthentication.SetAuthCookie.
>>>>>>> To clear the authentication ticket call
>>>>>>> FormsAuthentication.SignOut.
>>>>>>> ---------------------------------------
>>>>>>> Dominick Baier - DevelopMentor
>>>>>>> http://www.leastprivilege.com
>>>>>>>> I am writing a custom Membership provider for ASP.NET
>>>>>>>> I have derived from the Membership provider and have supplied my
>>>>>>>> own
>>>>>>>> method
>>>>>>>> that work against my security server.
>>>>>>>> For login operation, for instance, I implemented the
>>>>>>>> "ValidateUser(name,
>>>>>>>> password)" function.
>>>>>>>> I can not, however, find any function that maches the "logout"
>>>>>>>> operation.
>>>>>>>> As you may guess, it is a must to implement this function, but -
>>>>>>>> no
>>>>>>>> trace
>>>>>>>> for it in the membership provider class.
>>>>>>>> Please advice
>>>>>>>> Many thanks
>>>>>>>> Amitai
>
>


.