4

I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.

Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.

I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.

awright
  • 1,224
  • 1
  • 13
  • 23

2 Answers2

5

Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).

There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".

Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.

In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.

Ethan Cabiac
  • 4,943
  • 20
  • 36
0

You could use the Membership.IsOnline property which is based on LastActivityDate:

A user is considered online if the current date and time minus the UserIsOnlineTimeWindow property value is earlier than the LastActivityDate for the user.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • This could help identify if a user is online, but I haven't found an API for logging out other sessions. – awright May 18 '11 at 16:58
  • @Thomas, why do you want to log out other sessions? If you want to allow a single session simply tell the user to close his other sessions before logging in. – Darin Dimitrov May 18 '11 at 17:03
  • The issue is with preventing a user from letting other people use his/her login. I want to mitigate the risk of multiple people working under one account. – awright May 18 '11 at 17:21