0

I have recently implemented the asp identity system in to my website.

Now for the fact that I dont want my users to use accounts between themselves I want to log out people with the same username. I noticed that I have a AspNetUserLogins and theoretically I could just delete doubled items from there but its always empty.

Did I implement it badly? Is it supposed to be empty?Everything seems to work without a problem otherwise.

If it is supposed to be empty do I have to fill it manually?

Is AspNetUserClaims also supposed to be empty until I make a custom claim for it?

Any other ideas on how to implement this automatic sign out system?

Edit: Did some simple research and realized aspnetuserslogins is just for external logins. But what does actually keeps the logs of who is logged in?

misha130
  • 5,457
  • 2
  • 29
  • 51
  • As far as I know, nothing keeps the logs of who is logged in, other than the users themselves possessing the right cookie. What you're doing is probably going to cause more harm than good - what if it's one person, but they want to log in on their cell phone and on their desktop? Or they have two desktops? Or two browsers? If I were you, I would instead intercept the logins, log them to some sort of file with geolocation information and access time. Then create a report based on that which would help you find people sharing their login. And then deal with those on a case by case basis. – mason Apr 03 '15 at 16:21
  • Ok, you are right actually. But as far as the anwsers goes there is no system that supports it unless I implent it myself(I don't want to). But to be honest, I dont see that much harm in it that it will log people out at different placaes. I mean its just one person doing the work so he cant really work in 2 places at the same time, but okay. I'll just create a log with the IP, location & device. Thank you. – misha130 Apr 03 '15 at 16:26
  • "he cant really work in 2 places at the same time". Wrong. Two different browsers, or two different computers, or a phone and a computer. A phone and a tablet. A tablet and a computer. You don't know what people's setups and workflows are right - don't risk annoying your users by signing them out. Just pay attention to when you're pretty sure two different people are using it (based on the logs) and then contact them as appropriate. – mason Apr 03 '15 at 16:32
  • And don't forget where multiple people are sharing one account on the same IP address, such as at a home, a business, or an education setting. – mason Apr 03 '15 at 16:33
  • Also most of the time users will just close their browser, deleting session cookie, without explicitly signing-out. So even if you keep track of who is logged in, your list can be out-dated. – Shoaib Shakeel Apr 05 '15 at 15:29

1 Answers1

1

You need to store a list of logged in users some place like in database or a file. And when a new user tries to login search previous records if a user with name name is already logged-in or not.

If a duplicate is found then just update SecurityStamp.

UserManager.UpdateSecurityStampAsync(userId);

So next time current users validate interval ends and SecurityStamp is found invalid, he will be autmatically signed-out. You can find validate interval in your idedntity configuration class.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    ExpireTimeSpan = System.TimeSpan.FromDays(30),
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    Provider = new CookieAuthenticationProvider
    {                           
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

And after calling above method just login new user and update your login record list.

NTOE This is a really bad practice to enforce such policies. Try to avoid it as much as possible. Even different browsers, or one browser with separate sessions, will be considered as duplicate sign-in.

Shoaib Shakeel
  • 1,447
  • 18
  • 24
  • yes. first you need to make sure that this is a duplicate sign in attempt by consulting old sign-in records. And if it is, then just update `SecurityStamp`. After that log-in new user and Update your sign-in logs. If It is not a duplicate sign-in attempt then no need to update `SecurityStamp` just login new user and update sign-in records. – Shoaib Shakeel Apr 06 '15 at 09:18
  • Well when I added the Security Stamp update, all my users got disconnected(all user ids) whenever I enter or whenever someone enters. Of course I checked the UserID on it and all the data was proper. I am beginning to think adding a custom authorization attribute is the only way to do this. – misha130 Apr 06 '15 at 11:11
  • try to view security stamp in your database and view what happens when you call this method. Only one security stamp should be updated. Other wise you are doing something wrong. Also you need to share what code you've written so that community can help you if there's a problem. Also even if you create a custom AuthorizeAttribute, you'll still need to use same method to log-out currently logged in users. – Shoaib Shakeel Apr 06 '15 at 11:33
  • Its ok, I figured it out. I had to sign in again after creating the new securitystamp so my identity will update aswell. Thanks – misha130 Apr 06 '15 at 11:44