问题
Consider that the user has a valid auth cookie, but their account has been deleted (from a different location)
WebSecurity.IsAuthenticated
returns true.
WebSecurity.CurrentUserName
returns the user's username, despite their account being deleted. Presumably, this info is encrypted in the auth cookie.
As it turns out, IsAuthenticated gets its answer from the current HttpContext's request:
this._context.User.Identity.IsAuthenticated
So, to mitigate:
var userName = WebSecurity.CurrentUserName;
using (var userDb = new UsersContext())
{
var usr = userDb.UserProfiles.SingleOrDefault(u => u.UserName == userName);
if(usr == null)
{
WebSecurity.Logout();
}
}
but, even after this:
WebSecurity.IsAuthenticated == true
WebSecurity.CurrentUserName == "myDeletedUser'sName"
This isn't very useful.
How do I clear out this info and get WebSecurity to re-assess the user's authentication state? Do I really have to redirect them back to my site just to reset this state? Supposing they POSTed? That's a PITA.
来源:https://stackoverflow.com/questions/17346899/websecurity-logout-then-websecurity-isauthenticated-returns-true