Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / December 2005

Tip: Looking for answers? Try searching our database.

Membership custom provider - logout function

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Amitai Palmon - 22 Dec 2005 16:32 GMT
I am writing a custom Membership provider for ASP.NET
I have derived from the Membership provider and have supplied my own method
that work against my security server.
For login operation, for instance, I implemented the "ValidateUser(name,
password)" function.
I can not, however, find any function that maches the "logout" operation.
As you may guess, it is a must to implement this function, but - no trace
for it in the membership provider class.
Please advice
Many thanks
Amitai
Reply to this Message
Dominick Baier [DevelopMentor] - 22 Dec 2005 17:11 GMT
hi,

ValidateUser is not a login operation - it validates credentials - and retrurns
a boolean according to the outcome of the validation. The membership provider
is only an abstraction over a back end data store.

The login control sets the authentication ticket by calling FormsAuthentication.SetAuthCookie.

To clear the authentication ticket call FormsAuthentication.SignOut.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am writing a custom Membership provider for ASP.NET
> I have derived from the Membership provider and have supplied my own
[quoted text clipped - 11 lines]
> Many thanks
> Amitai
Reply to this Message
Amitai Palmon - 23 Dec 2005 09:44 GMT
Thanks for your answer.

I do understand, as you mentioned, that the provider is an abstraction layer
over a back end data store.

The data store, however, has to be updated for both login and logout.
When "ValidateUser" is being called, I validate the credentials against the
data store and if successful, the data store generates a "sessionID" which
is used afterwards for authorization operations.

When logging out, I need my custom provider to work against the data store
to invalidate the sessionID.

My problem is, that no function of the provider is being called when logging
out, so I have no way of updating my data store and invalidating my
sessionID.

I don't want the application level to access the data store, because then I
have no abstraction...only the provider has to know about the data store.

I hope I have cleared my issue..
Please advice
Many thanks
Amitai

> hi,
> ValidateUser is not a login operation - it validates credentials - and
[quoted text clipped - 25 lines]
>> Many thanks
>> Amitai
Reply to this Message
Dominick Baier [DevelopMentor] - 23 Dec 2005 11:50 GMT
Hi,

the data store does not generate a sessionID - the data store says yes/no
to the credentials - and afterwards the login control creates something called
an "authentication ticket" - this tickets get "attached" to the current request/response
using either a cookie or query string mangling.

You can configure the behaviour, lifetime, name etc. of that ticket using
the <forms> config element.

Your membership provider is never called again after authentication - the
FormsAuthentication infrastructure validates the ticket and sets Context.User
now on each request. Authorization is done on the value set for Context.User.

SignOut() clears this ticket (either cookie or querystring again) - and on
the next request the Authorization module emits a 401 which in turn makes
FormsAuthentication to emit a 302 to the login page.

The provider and FormsAuthentication are really two distinct things.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks for your answer.
>
[quoted text clipped - 52 lines]
>>> Many thanks
>>> Amita
Reply to this Message
Amitai Palmon - 23 Dec 2005 12:11 GMT
I fully understand your reply.
Our product is a family of applications which all use a centralized security
server.
The security server keeps track of all connected sessions.
The administrator has a console from which he/she can force disconnect an
active session (if and when needed).
Upon logout, the session is invalidates and removes.
The custom membership provider should work against this security server.
This is why I need a notification on logout...

Please advice one more time..
Thanks
Amitai

> Hi,
> the data store does not generate a sessionID - the data store says yes/no
[quoted text clipped - 74 lines]
>>>> Many thanks
>>>> Amitai
Reply to this Message
Dominick Baier [DevelopMentor] - 23 Dec 2005 12:35 GMT
Hi,

the you have to build something customized - the standard provider API does
not provide that functionality.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I fully understand your reply.
> Our product is a family of applications which all use a centralized
[quoted text clipped - 96 lines]
>>>>> Many thanks
>>>>> Amitai
Reply to this Message
Amitai Palmon - 23 Dec 2005 15:35 GMT
It's a pitty the membership provider doesn't save state (login status)...
Thanks a lot for your generous help
Amitai

> Hi,
> the you have to build something customized - the standard provider API
[quoted text clipped - 104 lines]
>>>>>> Many thanks
>>>>>> Amitai
Reply to this Message
Dominick Baier [DevelopMentor] - 23 Dec 2005 16:18 GMT
hi,

well - they provide something similar - which is of course not really usable
in your scenario - have a look at "IsOnlineTimeWindow" in the <membership>
element.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> It's a pitty the membership provider doesn't save state (login
> status)...
[quoted text clipped - 114 lines]
>>>>>>> Many thanks
>>>>>>> Amitai
Reply to this Message
Amitai Palmon - 23 Dec 2005 17:43 GMT
I found the "IsOnline" property (rather than "IsOnlineTimeWindow").
I guess I will do without the "logout". Afterall, the logout won't help me
much if the user just closes the browser.
I will rely on the "keep alive" message that is sent to our proprietary
security server.
Thanks a lot (I don't know in which time zone you are located, but its been
a great help)

> hi,
> well - they provide something similar - which is of course not really
[quoted text clipped - 123 lines]
>>>>>>>> Many thanks
>>>>>>>> Amitai
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.