13

In my application I am using Forms-Authentication to sign in and sign out users.

One functionality is admin can change the username of other users. In that case, I need to sign out the user whose username is changed.

If I do not, due to their cookies set before, they gain access to application and receive error messages (since their username does not exist and there are parts where I use their username for some functionality).

How can I force these users to log out using Forms-Authentication ?

UPDATE :

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        string controller = filterContext.RouteData.Values["controller"].ToString();
        string action     = filterContext.RouteData.Values["action"].ToString(); ;
        // Below returns the previous username, which does not exist anymore in db.
        string userName = HttpContext.Current.User.Identity.Name;

        UnitOfWork unitOfWork = new UnitOfWork();

        if (!unitOfWork.UserRepository.UserExists(userName))
        {
            FormsAuthentication.SignOut();
            filterContext.HttpContext.Session.Clear();
            filterContext.HttpContext.Session.Abandon();
            // I am not using Roles.


        }
        unitOfWork.Dispose();
        base.OnActionExecuting(filterContext);

    }

In my customer global filter, I check whether user exist or not, if not I sign them out. However, it is not working. By working I mean they pass the authentication and gain access to application.

Thanks in advance.

emre nevayeshirazi
  • 18,983
  • 12
  • 64
  • 81

2 Answers2

9

Here's what you do to force user to sign out:

public void UserPasswordChangedHandler()
{
  FormsAuthentication.SignOut();
  Roles.DeleteCookie();
  Session.Clear();
}

I don't think line by line explanation required, its self explanatory enough. Please let me know if I am mistaken.

Update

Straightforward answer to your additional question is to keep per user boolean tracking if his data was updated by admin and if yes - just redirect him to login page.

Please see following articles for forced logout using forms authentication information:

Update 2

Clearing cookies

Hope this help you.

Community
  • 1
  • 1
Display Name
  • 4,672
  • 1
  • 33
  • 43
  • 3
    i think this signs out the user logged in. I want to sign out other users, whose password is changed by admin. Well, i can certainly use this code to sign that user to log out but how can i understand, their password is changed? in other words when this method should be called ? – emre nevayeshirazi Sep 12 '12 at 07:25
  • Glad the code I provided was of help. To answer your additional question (how to handle), please see the update in my answer. – Display Name Sep 12 '12 at 12:58
  • Thanks again. I use your code in my custom ActionFilterAttribute filter. There, I check whether username exist or not, if it does not (this condition satisfied when I change my own username), I sign the user out. However, problem persists. User's cookie stays and he gains access to application. Any ideas ? I updated my question with filter code. – emre nevayeshirazi Sep 12 '12 at 17:19
  • Try this: `this.ControllerContext.HttpContext.Response.Cookies.Clear();` – Display Name Sep 12 '12 at 17:43
  • Update 2 in the answer. They all successfully deleting cookies, no reason you not able to. – Display Name Sep 12 '12 at 20:09
  • still not working, but it should be. probably i am doing something else wrong. thanks for your time. – emre nevayeshirazi Sep 12 '12 at 22:05
2

When a user needs to become invalidated you must add their details to some kind of internal static list.

Then on every page request (possibly using Application_BeginRequest) see if that current user is in that list, and if so to call FormsAuthentication.SignOut there-and-then.

It seems like a bit of a hack, but it's the best I can think of right now.

Note that removing a user-in-absentia's session state is another issue entirely.

Dai
  • 141,631
  • 28
  • 261
  • 374
  • we do a similar thing to stop multiple users logging on from different machines, we generate a token (based on the users pc information) for each login and then check if that token is the same, if not we force a signout – Daniel Powell Sep 12 '12 at 00:18