As an Admin, I am able to reset password for all users. May I know how can I logout the particular users "all" sessions across all devices/PC when I reset his password?
Example:
1) User1 logged in to PC1, PC2 and PC3.
2) Admin reset/change password for User1.
3) System logout session in PC1, PC2 and PC3.
How can it be done in ASP.NET?
Thanks.
It is possible , Facebook,G mail are done that , But it is not simple
Use a flag in the database that checks users on Session_Start that invalidates their session if that flag is set. May not necessarily use a boolean, you can use a DateTime value and invalidate all sessions that started prior to that time. This could be done by checking a value stored in a cookie upon login.
check the below stackoverflow discussions i think it will help you
Check
I know this is an old issue, but I believe there is an easier method. This method does not provide the functionality of listing all of the active sessions. But it is a very simple and straightforward method of invalidating other sessions when changing password.
Add a column called SecurityStamp to your user table. If a user logs in and this column is not populated, populate with a random guid. Or you could pre-populate the entire table.
When the user logs in, add the value found in the table to a session variable. On every page load, check that their session variable matches what is in the database.
When a user changes their password, update the value in the database with a new random guid. Additionally update the session variable for the user who changed the password. You could also add a button that invalidates other sessions without having to change the password.
If the user was logged in from a different device, the session variable associated with that other device login will not have been updated. When they try to access any page, you will have checked that their session variable does not match the database and force them to logout.
