Home/ Questions/Q 79563
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T21:09:55+00:00

I need to revoke an authentication cookie if the user no longer exists (or

  • 0

I need to revoke an authentication cookie if the user no longer exists (or some other condition), after the forms authentication mechanism already have received the authentication cookie from the browser and have validated it. I.e. here is the use scenario:

  1. The user have been authenticated, and granted non-expiring auth cookie.

  2. In a few days, the user tries to access my web app again, and as the cookie is valid, the forms authentication mechanism will grant access.

  3. Now I want to perform a second check (whatever condition I want), and decide if I want to let the user continue, or to revoke the authentication.

The question is – is there an official automated way for this? So far I have come with some possibilities, but I do not know which one is better. I can capture the Authenticate event in global.asax, check whatever I want, and to revoke I clear the cookie, and then one of these:

  1. Redirect again to same url – this should work, as this time the forms authentication will fail, and it will redirect to logon page.

  2. Throw some exception ??? which one to make the redirect happen w/o me specifying anything?

  3. Somehow to get the logon page url from the config file (any ideas how/which config handler to use) and redirect directly?

  4. Some FormsAuthentication class/method I have overlooked, which is designed for this?

  5. Any other idea?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I don’t think there is an automated way to achive this. I think the best way would be to add a date to the auth cookie which will be the last time you checked whether the user exists. So when a user logs-in you’ll:

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(                 1, // Ticket version                 name, // Username associated with ticket                 DateTime.Now, // Date/time issued                 DateTime.Now.AddMonths(1), // Date/time to expire                 true, // 'true' for a persistent user cookie                 DateTime.Now.ToUniversalTime(), // last time the users was checked                 FormsAuthentication.FormsCookiePath);// Path cookie valid for          // Encrypt the cookie using the machine key for secure transport         string hash = FormsAuthentication.Encrypt(ticket);         HttpCookie cookie = new HttpCookie(             FormsAuthentication.FormsCookieName, // Name of auth cookie             hash); // Hashed ticket          cookie.HttpOnly = true;          // Set the cookie's expiration time to the tickets expiration time         if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;         //cookie.Secure = FormsAuthentication.RequireSSL;         Response.Cookies.Add(cookie);

    Then everytime a user is authenicated you can check the additional date you passed to the Authentication ticket and in 10 minute intervals or less double check against the database whether the user exists. The code might look something like this:

    public void FormsAuthentication_OnAuthenticate(object sender,                             FormsAuthenticationEventArgs args)     {         if (FormsAuthentication.CookiesSupported)         {             if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)             {                 try                 {                     FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(                       Request.Cookies[FormsAuthentication.FormsCookieName].Value);                      DateTime lastCheckedTime = DateTime.TryParse(ticket.UserData);                     TimeSpan elapsed = DateTime.Now - lastCheckedTime;                     if (elapsed.TotalMinutes > 10)//Get 10 from the config                     {                         //Check if user exists in the database.                          if (CheckIfUserIsValid())                         {                             //Reset the last checked time                             // and set the authentication cookie again                         }                         else                         {                             FormsAuthentication.SignOut();                             FormsAuthentication.RedirectToLoginPage();                             return;                         }                     }                  }                 catch (Exception e)                 {                     // Decrypt method failed.                 }             }         }     }

    You can even cache the users that have been deleted the last 10 minutes and check against that collection.

    Hope that helps.

    • 0