public string IsAuthorized(string username, string roleName, string token)
        {
            MembershipUser      user               = Membership.GetAllUsers()[username];
            Configuration       config             = ConfigurationManager.OpenExeConfiguration(HostingEnvironment.MapPath("~") + "\\web.config");
            SessionStateSection sessionStateConfig = (SessionStateSection)config.SectionGroups.Get("system.web").Sections.Get("sessionState");
            InMemoryInstances   instance           = InMemoryInstances.Instance;

            // Check for session state timeout (could use a constant here instead if you don't want to rely on the config).
            if (user.LastLoginDate.AddMinutes(sessionStateConfig.Timeout.TotalMinutes) < DateTime.Now)
            {
                // Remove token from the singleton in this instance, effectively a logout.
                instance.removeTokenUserPair(username);
                return("User Unauthorized - login has expired!");
            }
            if (!instance.checkTokenUserPair(username, token))
            {
                return("User Unauthorized - not a valid token!");
            }
            // Check for role membership.
            if (!Roles.GetUsersInRole(roleName).Contains(user.UserName))
            {
                return("User Unauthorized - Does not belong in that role!");
            }
            return("Success - User is Authorized!");
        }
 public string AuthenticateUser(string username, string encryptedPassword)
 {
     if (Membership.ValidateUser(username, Decrypt(encryptedPassword)))
     {
         // Not sure if this is actually needed, but reading some documentation I think it's a safe bet to do here anyway.
         Membership.GetAllUsers()[username].LastLoginDate = DateTime.Now;
         // Send back a token!
         Guid token = Guid.NewGuid();
         // Store a token for this username.
         InMemoryInstances instance = InMemoryInstances.Instance;
         instance.removeTokenUserPair(username);                         //Because we don't implement a "Logout" method.
         instance.addTokenUserPair(username, token.ToString());
         return(token.ToString());
     }
     return("Error - User was not able to be validated!");
 }