With forms authentication, the only thing that's validated for each request is that the cookie contains a valid forms authentication ticket, and that the ticket has not expired.
If you want to check that the ticket still represents a valid user in your membership store, then you need to add that check to each request. The simplest solution is probably to use a custom
IHttpModule
:
public sealed class MembershipValidationModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
if (context == null) throw new ArgumentNullException(nameof(context));
context.PostAuthenticateRequest += (s, e) =>
{
var app = s as HttpApplication;
if (app?.Context != null)
{
OnAuthenticated(new HttpContextWrapper(app.Context));
}
};
}
private static void OnAuthenticated([NotNull] HttpContextBase context)
{
if (IsFormsAuthenticated(context.User))
{
var user = Membership.GetUser();
if (user == null || !user.IsApproved)
{
FormsAuthentication.SignOut();
context.User = null;
}
}
}
private static bool IsFormsAuthenticated(IPrincipal user)
{
if (user == null || !user.Identity.IsAuthenticated) return false;
return string.Equals(user.Identity.AuthenticationType, "Forms", StringComparison.OrdinalIgnoreCase);
}
}
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<add
name="MembershipValidationModule"
preCondition="managedHandler"
type="YourNamespace.MembershipValidationModule, YourAssembly"
/>
</modules>
</system.webServer>
</configuration>