tags:

views:

584

answers:

3

I created an App with ASP.NET MVC 1.0 and wish to use a custom method (for admins) to create a user. I took the Register method (in the Account controller) and renamed it to Create. I then commented out the line FormsAuth.SignIn(userName, false); to avoid the newly created user to sign in.

When I complete the create user form, the user gets added fine, but he also gets signed in. Now both me and the new user are signed in. I know this because my ListUsers page tests for user.IsOnline

UPDATE (2009-07-15 14:40): I have been doing some Google-ing and found that User.IsOnline is not very reliable due to the stateless HTTP protocol. Note: if I go to the UserDetails page (which is populated using MembershipUserAndRolesViewData) the Last Login shows as NULL. But my ListUsers page shows a login date...???


public class AccountController : Controller
{

// ...

[Authorize(Roles = "Administrator")]    
[AcceptVerbs(HttpVerbs.Post)]
     public ActionResult Create(string userName, string email, string password, string confirmPassword)
     {

      ViewData["PasswordLength"] = MembershipService.MinPasswordLength;


      if (ValidateRegistration(userName, email, password, confirmPassword))
      {

       // Attempt to register the user
       MembershipCreateStatus createStatus = MembershipService.CreateUser(userName, password, email);

       if (createStatus == MembershipCreateStatus.Success)
       {
        //FormsAuth.SignIn(userName, false); // createPersistentCookie 
        return RedirectToAction("ListUsers", "Account");
       }
       else
       {
        ModelState.AddModelError("_FORM", ErrorCodeToString(createStatus));
       }
      }

      // If we got this far, something failed, redisplay form
      return View();

     }
}
A: 

There must be something wrong with a code you didn't show. If you create a new ASP.NET MVC project using the default VS template and then comment out the line FormsAuth.SignIn(userName, false) the user is not signed in as expected.

Darin Dimitrov
A: 

It's a bit of a hack, but I suppose you could log them out before redirecting them.

FormsAuth.SignOut();    
return RedirectToAction("Index", "Home");
Robert Harvey
+2  A: 

Checking http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.isonline.aspx mentions this:

A user is considered online if the current date and time minus the UserIsOnlineTimeWindow property value is earlier than the LastActivityDate for the user.

The LastActivityDate for a user is updated to the current date and time by the CreateUser, UpdateUser and ValidateUser methods, and can be updated by some of the overloads of the GetUser method.

This page http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.lastactivitydate.aspx also says this:

The LastActivityDate for a user is updated to the current date and time by the CreateUser and ValidateUser methods, and can be updated by some overloads of the GetUser method. You can use the UpdateUser method to set the LastActivityDate property to a specific date and time.

So it seems that when you create a new account, this is considered as being "Online". A workaround could be to modify the default CreateUser in the AccountMembershipService class to reset the date when you create an account:

    public MembershipCreateStatus CreateUser(string userName, string password, string email)
    {
        MembershipCreateStatus status;
        MembershipUser user = _provider.CreateUser(userName, password, email, null, null, true, null, out status);
        user.LastActivityDate = DateTime.MinValue; //set the LastActivityDate to a point far back in the past
        _provider.UpdateUser(user); //update the user to the MembershipProvider
        return status;
    }
eyesnz