>I'd prefer handling this in the authorization phase (assuming that a user has to log in again after a token expires). If you, or the program, makes the AciveLicense invalid during a session it would be disconcerting and annoying for a user.

Hi Viv,

I was looking yesterday at the Authorization attribute and playing with that code, but eventually had to keep it in the BaseController instead.

Here is my current code:

  /// <summary>
        /// Puts the BaseUrl and Culture into the ViewBag for all controllers
        /// </summary>
        /// <param name="filterContext"></param>
        protected override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            base.OnActionExecuting(filterContext);

            ViewBag.OperatorSession = OperatorSession;
            ViewBag.BaseUrl = BaseUrl;
            ViewBag.Culture = System.Threading.Thread.CurrentThread.CurrentUICulture.Name;

            if (ClientLicenses.ActiveClientLicense == null || !ClientLicenses.ActiveClientLicense.IsValidLicense)
            {
                ViewBag.ShowMenu = false;
                
                NotValidLicense(filterContext);
                return;
            }

            ModalMessageHelper.GetInstance().ResetAcknowledgments();
            //  CheckExpiration(); // no need to do it on every call
            //ViewBag.ModalMessageHelper = null;
            CheckAssignoThresholdViews();
        }

        private void NotValidLicense(ActionExecutingContext filterContext)
        {            
            string invalidLicensePath = "importlicenses";

            string currentUrl = Path.GetFileName(Request.Url.AbsolutePath);

            if (currentUrl.ToLower() != invalidLicensePath)
            {               
                filterContext.Result = new RedirectResult(@"~/DataMaintenance/ImportLicenses");
            }
        }

and here is what we currently have in the Authentication attribute:

public void OnAuthorization(AuthorizationContext filterContext)
        {
            var authToken = GetAuthToken(filterContext);

            if (String.IsNullOrEmpty(authToken))
            {
                NotAuthorized(filterContext);
                return;
            }

            var authenticationProvider = _authenticationProviderFactory.GetService();
            var sessionResponse = authenticationProvider.IsValidSession(authToken);

            if (sessionResponse.IsValidSession)
            {
                if (sessionResponse.MustChangePassword)
                {
                    MustChangePassword(filterContext);
                    return;
                }
                var userSession = sessionResponse.OperatorSession;
                if (_rights.Any())
                {
                    foreach (var right in _rights)
                    {
                        if (!userSession.DoesUserHaveRight(right))
                        {
                            NotAllowed(filterContext);
                        }
                    }
                }

                SetAuthTimeoutCookie(filterContext, authenticationProvider.LockTime);
            }
            else
            {
                NotAuthorized(filterContext);
            }
        }

Do you think I should have tried to hook there instead? I think I tried that first but was getting some weird behavior. What would you suggest?

Thanks again.