4

I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.

Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.

I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.

Improve this question

2 Answers 2

Reset to default
5

Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).

There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".

Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.

In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is good. I was leaning this direction, but it's good to have confirmation.
0

You could use the Membership.IsOnline property which is based on LastActivityDate:

A user is considered online if the current date and time minus the UserIsOnlineTimeWindow property value is earlier than the LastActivityDate for the user.

Improve this answer

3 Comments

This could help identify if a user is online, but I haven't found an API for logging out other sessions.
@Thomas, why do you want to log out other sessions? If you want to allow a single session simply tell the user to close his other sessions before logging in.
The issue is with preventing a user from letting other people use his/her login. I want to mitigate the risk of multiple people working under one account.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.