asp.net membership IsApproved false but still allowing login

Question

i have change the default Account Membership provider to set IsApproved to false.

    public MembershipCreateStatus CreateUser(string userName, string password, string email)
    {
        MembershipCreateStatus status;
        _provider.CreateUser(userName, password, email, null, null, false, null, out status);
        return status;
    }

But i then go back to the login page and it allows me to login. Shouldn't it fail login and say that i am not approved ??

EDIT:

    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Register(string userName, string email, string password, string confirmPassword, string address, string address2, string city, string state, string homePhone, string cellPhone, string company)
    {

        ViewData["PasswordLength"] = MembershipService.MinPasswordLength;

        if (ValidateRegistration(userName, email, password, confirmPassword))
        {

            // Attempt to register the user
            MembershipCreateStatus createStatus = MembershipService.CreateUser(userName, password, email);

            if (createStatus == MembershipCreateStatus.Success)
            {
                FormsAuth.SignIn(userName, false /* createPersistentCookie */);

                TempData["form"] = Request.Form;
                TempData["isActive"] = false;
                return RedirectToAction("Create", "Users");
            }
            else
            {
                ModelState.AddModelError("_FORM", ErrorCodeToString(createStatus));
            }
        }

        // If we got this far, something failed, redisplay form
        return View();
    }

Answer 1

(it looks like the other copy of this question is going to be closed, so I've copied my answer here)

HttpRequest.IsAuthenticated returns true if HttpContext.User.Identity is not null and it's IsAuthenticated property returns true.

The current identity is set in the FormsAuthenticationModule, but it has nothing to do with your MembershipProvider. In fact, it doesn't even reference it. All it does is check to see if the authentication cookie is still set and is still valid (as is, has not expired).

I think the problem is that you are calling one of the FormsAuthentication methods like RedirectFromLoginPage, which is settings the authentication cookie. If you need to wait until the user is approved, then you need to make sure you are not setting the cookie.

Update

There are no values of MembershipCreateStatus that specify that the user has been created but not approved, so your code is calling FormsAuth.SignIn without actually checking if the user has been approved.

FormsAuth.SignIn just sets the cookie, that's it. It doesn't validate the user or otherwise have any relation to your MembershipProvider. If approval is asynchronous (ie. waiting for a human), then don't automatically log the user in by calling FormsAuth.SignIn.