I would suggest combining the use of Application_AuthenticateRequest and the ASP.NET cache, as shown below:
1) When the user is deleted, enter the user ID in the ASP.NET cache, where he can sit for a finite period of time (possibly one day):
string cacheKey = "RecentlyDeletedUserId" + userId; Cache.Add( cacheKey, true, null, DateTime.Now.AddDays(1), null, CacheItemPriority.Normal, null );
2) In global.asax, you can add an Application_AuthenticateRequest handler that runs for each request after the server successfully receives a forms authentication ticket. In this handler, you make one cheap cache request in memory to find out if this user is on the list of recently deleted users. If they are, you sign them up and redirect them to the login page.
protected void Application_AuthenticateRequest(object sender, EventArgs e) { string cacheKey = "RecentlyDeletedUserId" + userId; if (Cache[cacheKey] != null) { FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage(); } }
If for some reason you don't like the redirect approach, you could use this approach:
protected void Application_AuthenticateRequest(object sender, EventArgs e) { string cacheKey = "RecentlyDeletedUserId" + userId; if (Cache[cacheKey] != null) { IPrincipal anonymousPrincipal = new GenericPrincipal(new GenericIdentity(String.Empty), null); Thread.CurrentPrincipal = anonymousPrincipal; HttpContext.Current.User = anonymousPrincipal; } }
This simply replaces the user with an anonymous user, which ensures that the user cannot do anything on your site. (This alternative approach applies to the Invalid ASP.NET FormsAuthentication server side .)