Delete user session in ASP.NET MVC with [Authorize]

4

I have a web system developed in ASP.NET MVC 4.

One of the features is user management. A CRUD of users.

My login method is as follows:

[HttpPost]
public ActionResult Login(LoginViewModel loginViewModel)
{
    if (_loginService == null)
        _loginService = new LoginService();

    var result = _loginService.Login(loginViewModel.User, loginViewModel.Password);
    if (!result.Error)
    {
        var userData = JsonConvert.SerializeObject(result.User);
        FormsAuthentication.SetAuthCookie(result.User.Id, false);
        var ticket = new FormsAuthenticationTicket(1, result.Id, DateTime.Now, DateTime.Now.AddMinutes(9999), true, userData, FormsAuthentication.FormsCookiePath);
        var encryptedCookie = FormsAuthentication.Encrypt(ticket);
        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie) { Expires = DateTime.Now.AddHours(14) };

        Response.Cookies.Add(cookie);
    }
    return new JsonResult
    {
        Data = result
    };
}

Yes, it is in English even though the system will be maintained by several companies.

Finally, I try to return this method on the client side, with javascript. As you can imagine, I use the [Authorize] attribute in all Controller where authentication is required.

Let's say I just logged into the system with user StackOverflow . I am normally navigating until another user identified as DoMal resolves to delete me from the system. Since I'm only deleting the user in the Delete action, the StackOverflow user will normally navigate the site even when it is deleted. Until, of course, the cookie expires. The problem is I want some way to end his session right away.

Is there a way to end the session only from StackOverflow in IIS? Or force the cookie to expire?

The only thing I do not want to do is create an online user existence check on every action taken on the site.

Any ideas, suggestion?

    
asked by anonymous 31.10.2016 / 15:04

1 answer

1

You have to implement your own Authorize Attribute. You can reuse the existing implementation and derive the authorize attribute and make the modifications you require:

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        if (actionContext.RequestContext.Principal != null &&
            actionContext.RequestContext.Principal.Identity.IsAuthenticated)
        {
            //o utilizador está autenticado, mas será que ainda existe na base de dados?

            var userName = actionContext.RequestContext.Principal.Identity.Name;
            object user = null;  //aqui faz consulta na base de dados por userName
            if (user == null) //se o utilizador nao existe, apaga o cookie
            {
                FormsAuthentication.SignOut();
            }

        }
        base.HandleUnauthorizedRequest(actionContext);
    }
}

I do not guarantee that this code will work at first, but it should give you an idea of what you should do.

    
12.11.2016 / 15:17