Role Based Forms Authentication in ASP.NET 2.0: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Role Based Forms Authentication in ASP.NET 2.0

page 12 of 16

by Satheesh Babu
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 65466/ 163

Article Contents:

FormsAuthentication.SignOut() doesnot reflect in LoginStatus and LoginName

Suppose, if we have a password reset feature in our ASP.NET site then the user should be forced to logged out once he chooses the new password, and clicked save. He should be asked to login again and verify the new password.

When a user is already logged in, he can reach the form PasswordReset.aspx and he can choose the new password. When the user types in the new password and clicks save, the user is logged off by calling SignOut() method of FormsAuthentication object. Refer to the code below.

Listing 13 - FormsAuthentication Signout Problem

int res = userDAO.ResetPassword(User.Identity.Name, txtOldPassword.Text, 
txtConfirmPassword.Text);
lblMessage.Text = SUCCESSMSG;
FormsAuthentication.SignOut();

The actual problem is here. After the password reset is successful the above code will log out the user as planned. But the LoginStatus and LoginName controls on the page will still show the status of the user as logged in as seen in Figure 3.

Figure 3 – Signout Problem

When the form is refreshed or for the subsequent server trip the status of the user that is displayed on the form will be successfully changed to logged out. The cause for this problem is even after the FormsAuthentication.SignOut(); line execution the context information of the current request will still hold the logged in user information. On executing the line Context.User.Identity.Name, the signout code will still give the logged in user information and thus LoginStatus control will not reflect the logout change. From the next request Context.User.Identity.Name will have no value in it which will make the login control to behave correctly.

The work around for the above problem will be making the User attribute of Context object to null.

The final code is:

Listing 14 - FormsAuthentication Signout Problem Resolution

int res = userDAO.ResetPassword(User.Identity.Name, txtOldPassword.Text, 
txtConfirmPassword.Text);
lblMessage.Text = SUCCESSMSG;
FormsAuthentication.SignOut();
Context.User = null;

The other way of solving this problem is by redirecting the user to the login page after changing the password. But you need to have some logic to notify the user that the password is successfully changed.

« (Page 11)

View Entire Article

(Page 13) »

User Comments

Title: it works at once
Name: snopbear
Date: 2008-08-26 9:32:07 AM
Comment:
When I log in with test1 or any of them, I get redirected to a HTTP Error 404 - Not Found page. Any ideas?

Title: Question
Name: Jeff
Date: 2008-06-26 9:53:38 AM
Comment:
When you log into the site with a user, go to their homepage, then click logout, hit the BACK button enough, it will get you into the home page without credentials.

Once you hit refresh it kicks you out and you have to login again.

This happens in IE6. It seems to work in Firefox right.

Title: Something is wrong
Name: Mike
Date: 2008-06-25 10:16:43 AM
Comment:
When I log in with test1 or any of them, I get redirected to a HTTP Error 404 - Not Found page. Any ideas?

Title: permissions and roles
Name: tariq
Date: 2008-05-12 5:39:03 AM
Comment:
Hi,

I need to grant users with permissions depending on their roles. I have heard about Visual Guard .Net http://www.visual-guard.com/EN. before I start testing, do you have any feedback about this tool?

thank you

Title: Thnx
Name: Dhaval Patel
Date: 2008-05-02 11:04:11 AM
Comment:
thanks buddy... it helped understanding it better.