Session Expires and User is no longer valid

Question

I cache information about the currently logged in user in the session. This info lazy loads whenever a CurrentUser property on my global application class is used. It does this by calling GetUser() on my custom implementation of MembershipProvider, which either loads the user up from the session, or loads the user from the DB and throws the user object in the session.

How should I handle this scenario?

1. User logs in.
2. Administrator deletes user (or deactivates...the point is they can't log in any more).
3. User's session expires.
4. User navigates to a page or makes a request, or whatever.

Currently if this scenario occurs, NullReferenceExceptions are thrown all over the place, because the ASP .NET framework calls GetUser() which returns nothing because it can't find the user in the database (and there's nothing in the session because it expired).

Answer 1

Throw an exception from GetUser() if you're going to return null. Then you can have the Application_Error event trap that specific exception and redirect to your login page.

Answer 2

If your app thinks a user is signed in but the user cannot be found, one option might be to use FormsAuthentication.SignOut() to make ASP.NET forget about the user. They should then be kicked back to the login screen or anonymous mode.