Search code examples
webformsforms-authenticationaspnetdb

After changing ASPNETDB Username via sql, User.Identity not updating

I'm calling a stored procedure to change the username. This works and the username is changed.

After I change the username, Membership.GetUser() returns null. I check User.Identity and it still has the old username and is authenticated.

First I tried calling this function (which is also called when the user first logs in)

public void Authorize(string username)
{
        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddDays(5), true, string.Empty);
        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
        authCookie.Expires = authTicket.Expiration;

        HttpContext.Current.Response.Cookies.Add(authCookie);
}

Then I tried adding Membership.ValidateUser(username,password) before calling the Authorize function (since it's a test account and I do know the password) but it didn't make any difference.

Then I tried this:

FormsAuthentication.SignOut();
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);

I'm confused that after I call FormsAuthentication.SignOut(), the User.Identity.IsAuthenticated is still true. Is that not supposed to be updated until after the page reloads?

I read this http://forums.asp.net/t/939408.aspx/1 which makes me think my problem is User.Identity.Name never getting updated. How do I make that happen?

  1. Membership.GetUser() will only work for an authenticated user. Otherwise, it's going to return null. To verify you're dealing with an authenticated request call "User.Identity.IsAuthenticated" on the page. If you've got an authenticated request, but Membership.GetUser() is still returning null, then that means the username associated with the authenticated user can't be found in the Membership datasource. Verify the username of the authenticated user with "User.Identity.Name".

  2. If you're calling one of the Membership.GetUser() overloads which takes the username and it's returning null, then that user doesn't exist in the Membership datasource (or we've got a bug). One way to easily verify this is to try a Membership.CreateUser() with the same username. If this doesn't throw an error because of a duplicate user, then you know the user never existed in the first place.

  3. Membership.GetUser() should have never worked for an anonymous user. No support was built into Membership for handling this case.

Solution

  • Any changes to the FormsCookie, user account, are not reflected in the User.Identity property until the next request. This property is set by the membership provider at the start of the request when the cookie is validated. Any changes you make will be seen by in any subsequent requests.

    You can manually replace User.Identity with a principal of your own, but this requires implementing your own membership provider.