Details about membership/role that you may not know

1. About system. Web. Security. Membership. validateuser ("username", "password ")

Every time you call this, do you notice what SQL statements are executed?

(A) if the user name does not exist, the following statement is executed:
Exec DBO. aspnet_checkschemaversion @ feature = n 'common', @ compatibleschemaversion = n'1'

Exec DBO. aspnet_checkschemaversion @ feature = n 'Membership ', @ compatibleschemaversion = n'1'

Exec DBO. aspnet_membership_getpasswordwithformat @ applicationname = n' app _ luckty ', @ username = n 'username', @ updatelastloginactivitydate = 1, @ currenttimeutc = '2017-06-02 12: 22: 34: 563''

(B) if the user name exists, in addition to the preceding statements, the following two statements will be executed:
Exec sp_reset_connection

Exec DBO. response @ applicationname = n'app _ luckty ', @ username = n'yjmyzz @ 126.com', @ ispasswordcorrect = 0, @ updatelastloginactivitydate = 1, @ maxinvalidpasswordattempts = 999, @ passwordattemptwindow = 999, @ currenttimeutc = ''2009-06-02 12: 26: 04: 173'', @ lastlogindate = ''2009-06-02 12: 15: 53: 860 '', @ lastactivitydate ='' 2009-06-02 12: 15: 53: 860''

What is the use of sp_reset_connection?

Description on http://msdn.microsoft.com/zh-cn/library/ms187961 (SQL .90). aspx

The sp_reset_connection stored procedure is used by SQL Server to support remote stored procedure calls in transactions. When you reuse a connection from a connection pool, this stored procedure also triggers the audit login and audit logout events.

2. if (user. identity. isauthenticated ){...} or if (user. isinrole ("rolename ")){...} where does the system know whether the current user has logged on (or belongs to a role )?

(A. Guess one :)Will the database be queried? Of course not. If you believe it, You can monitor the SQL statements of the database.
(B. Second guess :)Is it in session? No. Do not believe enablesessionstate = "false". Try again, as if it can still run.
(C. Guess 3 :)Is it in the cookie? By the way, do not disable the cookie (we recommend that you use the most BT method to set the Documents and Settings \ Administrator \ cookies directory to be read by no user), and then you will not be able to log on to the system.

3. Apart from formsauthentication. signout (), is there any other way to log out the "current" user, or how to log out the "specified" User? 

From 2, it is easy to think that as long as you can find the client cookie of a specific user and make it expire, you can see the followingCode:
Httpcookie _ cookie = formsauthentication. getauthcookie (username, true );
_ Cookie. expires = datetime. Now. adddays (-1 );
Httpcontext. Current. response. Cookies. Add (_ cookie );