Programmatically logout an ASP.NET user

Question

My app allows an admin to suspend/unsuspend user accounts. I do this with the following code:

MembershipUser user = Membership.GetUser(Guid.Parse(userId));
user.IsApproved = false;
Membership.UpdateUser(user);

The above works fine to suspend the user, but it does not revoke their session. Consequently, the suspended user can remain with access to the application as long as their session cookie remains. Any fix/

score 27 · Answer 1 · answered Jun 23 '10 at 03:55

There's no way to abandon a session from 'outside' the session. You would have to check the database on each page load, and if the account has been disabled, then signout. You could achieve this using a HttpModule too, which would make things a bit cleaner.

For example:

public class UserCheckModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }

    public void Dispose() {}

    private void OnPreRequestHandlerExecute(object sender, EventArgs e)
    {
        // Get the user (though the method below is probably incorrect)
        // The basic idea is to get the user record using a user key
        // stored in the session (such as the user id).
        MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));

        // Ensure user is valid
        if (!user.IsApproved)
        {
            HttpContext.Current.Session.Abandon();
            FormsAuthentication.SignOut();
            HttpContext.Current.Response.Redirect("~/Login.aspx?AccountDisabled");
        }
    }
}

This isn't a complete example, and the method of retrieving the user using a key stored in the session will need to be adapted, but this should get you started. It will involve an extra database check on each page load to check that the user account is still active, but there's no other way of checking this information.

On the line `MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));`, do you mean we should replace this line with whatever method we are using to get a user? Like a call to the database? — FarFigNewton, May 21 '13 at 19:40
@guanome That's correct, yes. The code example above assumes that you're storing the user ID in the session. The purpose of this line of code is to use a value stored in the session to retrieve the user from the database (like their ID) so that you can check their status. — Mun, May 21 '13 at 20:49

score 6 · Answer 2 · answered Jun 23 '10 at 03:22

6

If using forms authentication:

FormsAuthentication.SignOut();

answered Jun 23 '10 at 03:22

James Santiago

2,883
4
22
29

7

They're wanting to end another session not the current user's one, so this isn't appropriate – David Burton Sep 02 '15 at 12:13
Request.GetOwinContext().Authentication.SignOut(); – Pam Nelligan Aug 14 '20 at 19:57

VDWWD · Answer 3 · 2017-03-31T12:23:54.497

When you log out a user, it is also a good idea to overwrite the FormsAuthenticationTicket.

HttpContext context = HttpContext.Current;

//overwrite the authentication cookie
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, context.User.Identity.Name, DateTime.Now, DateTime.Now.AddDays(-1), false, Guid.NewGuid().ToString());
string encrypted_ticket = FormsAuthentication.Encrypt(ticket);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted_ticket);
cookie.Expires = ticket.Expiration;
context.Response.Cookies.Add(cookie);

//clear all the sessions
context.Session.Abandon();

//sign out and go to the login page
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();

egrunin · Answer 4 · 2013-05-21T19:47:55.997

2

On some common page, check for the account being valid, and if it's been revoked, call Session.Abandon().

Edit (Just noticed this was still open.)

I know this works, because I do it.

On the master page, check the account status. That means on every navigation you have the chance to log them out.

(Final) Edit

Don't think of it as "I am terminating their session," think of it as "their session terminates itself."

edited May 21 '13 at 19:47

answered Jun 23 '10 at 03:21

egrunin

24,650
8
50
93

2

Isn't this just for the current user's session? I want to abandon another user's session... Something like Session(user).Abandon. – Testing123 Jun 23 '10 at 03:24
1

@Testing123 egrunin means that every user would be checking to see if their own account is invalid, if it is, then the application would remove their cookie. – FarFigNewton May 21 '13 at 19:38
Downvote because you need FormsAuthentication.SignOut(); – Juan Jul 12 '15 at 21:19
Re: `FormsAuthentication.SignOut()`: As @David Burton points out in another comment, that "They're wanting to end another session not the current user's one, so this isn't appropriate" – egrunin Sep 03 '15 at 20:01

Programmatically logout an ASP.NET user

4 Answers4

Linked