How to prevent user from authenticating

[salickc]

Hello,

I'm using Forms Authentication.
When the user logins for the first time, i create a persistent cookie,
so the user will login automatically every time he browse the site.

But suppose after I a week, i deleted the user from my DB.
He still has the cookie on his computer, and will connect automatically
when he browse.

How can I prevent this situation, but still use persistent cookies?
Can i re-validate users with authentication cookies also?

 

[Dominick Baier [DevelopMentor]]

Hello (e-mail address removed),

well - you basically give the user the key to you application you could
at least limit the lifetime of the persistent cookie to something like 30
days e.g.

there are other solution that come to my mind, like keeping a list of deleted
users but thats hacky,too. Or you could keep the user in the db and mark
him as locked out.

persistent cookie are evil, simply put.

 

[salickc]

marking users as locked out, means that i need to check the username on
every page which requires authenticaton. grrr
well, i guess that's an idea

any other ideas?

 

[Dominick Baier [DevelopMentor]]

Hello (e-mail address removed),

write a HttpModule that handles AuthenticateRequest and check there.