Clever Geek Handbook

Why does WebSecurity.Logout * immediately * update IPrincipal.User to null user

First of all, it is important to note that in my application, if you log out of the session, it is still valid, and you are not just redirected back to the login page, but remain on the same page.

With that said - whichever of these two methods I use to log into an MVC application

FormsAuthentication.SignOut()
WebSecurity.Logout()

the effect is the same, and none of the following properties change to reflect the logout if I access them immediately:

User.Identity.Name
Thread.CurrentPrincipal.Identity

Now - if I do a redirect or just reload the page then obviously these properties are updated to user null. They just don't immediately mean what they User.Identity.Name

represent the user who just logged out.

This is a problem because I want to generate the form text You are logged in as XXX

after login / logout - and it might be in an AJAX situation where redirection is not possible.

I'm wondering if there is a way to run IPrincipal

to reset after logging out (or logging in).

I guess people are usually just Redirect()

after the call Logout()

, so this is never a problem, but in an AJAX situation it is not always practical.

My current solution is to abstract the Identity in my own wrapper and so as soon as I log out I can just update that. I'm a little concerned that this might have some obscure side effects, especially if someone is accessing IPrincipal

directly and not through a shell.

+3


source to share


1 answer


This is a major limitation of the ASP.NET event pipeline as it relates to forms authentication. This also makes it vulnerable to replay attacks, as described in KB article 900111 . In this article, they link to one solution to use a membership provider that stores some server side information about a logged in user.

The membership provider seems to be very similar to the approach you're planning to take, and I'm wondering if you should use one of the built-in membership providers or write your own code as the membership provider. This should address some of the issues of people not understanding the approach and referring directly to IPrincipal.



Your "logging out but staying on the same page" lends itself a little more to the problem, but ultimately you just expose the same basic playback problem that everyone has with ASP.NET (but not everyone solves it).

This related question might be helpful as well.

+3


source






More articles:


All Articles