I have a small website with about 10 members. 5 of those are now banned.

I have ensured that they cannot login through the login page.

However because the authentication cookie is persistent and is set to expire after a few months if they return to the site they will still be logged in.

A simple solution is just to expire all authentication tickets/cookies.

How to do that?

If you are happy with invalidating cookies for all users then you could just rename the forms authentication cookie in the web.config like so:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" name=".ASPXAUTH2"/>
</authentication>

This will force all users to login in again - and then you can use the techniques mentioned above to ensure that your banned users aren't allowed to log in.

NB the default cookie name is .ASPXAUTH. The code above renames it to .ASPXAUTH2. The only problem I can think of with this approach is if you have some code which specifically looks for the .ASPXAUTH cookie.

Cookies are meant for authentication not for authorization.

From wikipedia

The process of authorization is sometimes mistakenly thought to be the same as authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes make this error. However, authentication is the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given principal (person, computer, process, etc.). Authorization, on the other hand, involves verifying that an authenticated subject has permission to perform certain operations or access specific resources. Authentication, therefore, must precede authorization.

If you are using Forms authentication then Rob's answer is the way to go. Otherwise you may need to implement it manually

Sure they can still be identified as users (banned but users) But still that shouln't be enought to let them in.

As azamsharp posted. There has to be a way to tell users from banned users in the database, and not letting them to login.

Then the banned users can still be authenticated (after they send the correct user and password) but not authorized (after they are detected as banned).

You can add a field in the database called IsBanned. When the user is banned IsBanned is true. If the IsBanned is true then you do not allow the user to access the website.

since you are using forms authentication you can use the authorization setting in the web config:

<system.web>
    <authorization>
      <deny users="user1,user2,user3"/>
    </authorization>
</system.web>

or if you are using a roles provider you could do

<system.web>
    <authorization>
      <deny roles="banned"/>
    </authorization>
</system.web>