Technologies that I use:
- MVC v2
- Form Authentication (Expiration)
- Session State Server
- User Authorization Attribute
I am using the server state process for my mvc application. During testing, when the authenticated user clicks the "LogOff" button, he will correctly display them on the authentication screen and, after successfully entering the credentials, will write them back. BUT, it will find its previous state of the session variable, and NOT reload all the new permissions that I gave them. This is due to the way I load the user into the following code:
public override void OnAuthorization(AuthorizationContext filterContext) {
if (filterContext == null)
throw new ArgumentNullException("FilterContext");
if (AuthorizeCore(filterContext.HttpContext)) {
IUser customUser = filterContext.HttpContext.Session["CustomUser"] as IUser;
if ((customUser == null) || (customUser.Name != filterContext.HttpContext.User.Identity.Name)) {
customUser = new User(filterContext.HttpContext.User.Identity.Name,
filterContext.HttpContext.User.Identity.IsAuthenticated);
}
if (_privileges.Length > 0) {
if (!customUser.HasAtLeastOnePrivilege(_privileges))
filterContext.Result = new ViewResult { ViewName = "AccessDenied" };
}
filterContext.HttpContext.Session["CustomUser"] = customUser;
}
}
, , customUser Session, - , , , ( .
, : Session.Abandon() LogOff AccountController, ?