ASP.NET MVC authenticates and authorizes non-existent users

Question

ASP.NET MVC authenticates and authorizes non-existent users

I use an initializer DropCreateDatabaseAlways, so my database gets destroyed every time the application starts (at least I hope). The funny thing is that I still see myself logged in. I get an attribute Authorizeand can do dangerous things. This is probably due to the remaining cookies from previous testing.

The registration / login part of my application is the MVC 4 web application template, not affected. Should ASP.NET check cookie values for users stored in the database? WebSecurity.IsAuthenticatedreturns true, and WebSecurity.CurrentUserNamereturns a name. The only thing that works is expected WebSecurity.CurrentUserId, which returns -1. I'm a newbie, so I can only guess that this is because it is UserIdnot stored in a cookie and needs to be retrieved from the database.

I'm right? If so, does this mean that I should always use WebSecurity.CurrentUserIdto determine if the user is logged in? WebSecurity.IsAuthenticatedand User.Identity.IsAuthenticatedseem useless in this case. I can delete the user account and he or she remains unaffected. What to do differently if I am mistaken?

+5

asp.net asp.net-mvc asp.net-membership simplemembership

Matt ricks Apr 14 '13 at 16:44

source share

6 answers

Chuck Conway · Answer 1 · 2013-04-14T17:18:30+0000

A small window will appear in which, if the user is deleted, and they are still registered, that they can access the site. Since most actions require confirmation of the user ID, you can simply drop the excpetion and log out the user.

Normally, the database is not reset during every build, so I assume that this is not an option to use SimpleMembership. Of course you can check it out. I will make another assumption that you do not close your browser when restoring a site and deploying a new database. In a real-world scenario, these things just don't happen. The database is never flushed and the user ID is never lost.

, ( ). . cookie , . , .

Wiktor Zychla · Answer 2 · 2013-04-14T17:24:13+0000

, , , .

, . , . cookie (!), , , .

", " ( ).

Stephen Reindl · Answer 3 · 2013-04-19T10:50:19+0000

(.. ), cookie , MVC , .

cookie FormsAuthentication.LogOff(), (User.Identity.IsAuthenticated == true), UserTable (WebSecurity.CurrentUserId == -1).

auroceo · Answer 4 · 2013-07-07T09:39:17+0000

, , Authorize. , " ", .

[Authorize(Roles = "Customer")]
public class DashboardController : Controller

Konrad Gadzina · Answer 5 · 2013-04-14T17:18:45+0000

Session.Abandon(); LogOff AccountController :

public ActionResult LogOff()
{
    FormsAuthentication.SignOut();
    Session.Abandon();

    return RedirectToAction("Index", "Home");
}

, , Session.Abandon(); , DropCreateDatabaseAlways .

haim770 · Answer 6 · 2013-04-14T17:32:21+0000

cookie , (inbox/billing ..), X.
If you insist on the cancellation of all current authorization tickets when the application changes (for example, in the database / configuration), you can change these settings in web.config:
```
<machineKey validationKey="..." decryptionKey="" />
```

ASP.NET MVC authenticates and authorizes non-existent users

More articles: