4

I use MVC(4) with Identity (2.0) and my webapp have a page for admin to manage users.

One functionality of the admins is to inactive(freeze) a user account the way I implemented it:

Add a field in my DB called 'Active' and if the admin is deactivate the user the field value is '0'.

In order not to check for every user in every page of my website is to do it only when the user is trying to log in, so before I let him log in I check this field.

But now I have the problem:

Use-Case example: the admin is deactivate account of user "x" and after 10 min the user "x" enter the site and the site "Remember" him and not ask him to log in so my check will never happens.

if the site is "remember" the user and not asking him to log-in i'm in trouble, i need somehow to sign out the user.

I read about cookies and security stamp and my conclusion is:

I need to change the security stamp of the user in order to prevent the site to "remember" the user and allow him not to log in.

First thing: did i got it right ? change the security stamp of a user and the site wont remember him ?

Second thing: i notice that the security stamp is a guid so i can generate programmatically and insert to the security stamp field of the user, yes ? no ? why ?

If you have a better implementation to the whole thing...ill gladly hear it :)

Thank You

Update: Maybe if i change some field of the user in the database( a field that i'm not using like telephone) it will update the security stamp automatically ?

Update2: Even if i generate manually GUID and put it in the security stamp field(upon the DB) it doesn't force the user to log-out.

Ron
  • 1,744
  • 6
  • 27
  • 53
  • 1
    Just check every time the status of the user in using a Filter. If he's disabled, just do a logout. – Fals Aug 20 '14 at 16:37
  • How can I "just do logout" ? how can I log out user ? this is the main question of post. – Ron Aug 20 '14 at 16:51
  • Try: `FormsAuthentication.SignOut();` – David Tansey Aug 20 '14 at 19:10
  • @Ron Hey, I have same problem, have you managed to find solution in the end ? – hyperN Sep 16 '14 at 23:16
  • @hyperN did you found solution ? i found a solution to by pass the problem, you want the solution or you manage to get it together on your own ? – Ron Sep 17 '14 at 12:22
  • @Ron I've got answer here: http://stackoverflow.com/questions/25878218/asp-net-identity-2-0-sign-out-another-user/25887380#25887380 But haven't had time to test it yet, but it seems that it'll work – hyperN Sep 17 '14 at 12:26
  • @hyperN I seen a couple of trialmax answers and he got very good answers to issues related to MVC, he is good. So you test it yet ? let me now i'm curious... – Ron Sep 21 '14 at 19:35
  • @Ron sorry, but not yet, I've moved decided to finish another major feature then I'll test it and give you update here :) – hyperN Sep 22 '14 at 13:55
  • @hyperN Thanks man, ill be waiting.. – Ron Sep 23 '14 at 15:40
  • @Ron Hey, Unfortunately I haven't had success, but I believe that is because I'm using Identity 1.0 instead of Identity 2.0 but not sure... – hyperN Sep 24 '14 at 14:37

2 Answers2

0

I've used javascript to get the logout to happen

    <a href="javascript:document.getElementById('logoutForm').submit()"><i class="glyphicon glyphicon-log-out"></i> Log off</a>
WoZoNe
  • 101
  • 5
  • It will log out the admin... i need somehow to insert the ID of the user that i want to log out. – Ron Aug 20 '14 at 19:22
  • 3
    Ron, each user has their own session. If a user is logged into one session, the Admin, who is on a different session, shouldn't be logged out. It sounds like you want to put a freeze on a user account. I would add a field to the user table which tells if the account is frozen or not. And then each time I check "is user logged in" I would also check "and account is not frozen". If you are using roles, you could make a "frozen role" that essentially has to rights. – James Aug 28 '14 at 11:18
0

Even if the User is remembered by the browser, he still needs to be authorized. You can always perform this check on authorization rather than on authentication. That way, even if the user is in the process of browsing the site and the administrator freezes the account, his browsing won't be able to continue, because on the next authorization, he will be logged out and unable to log back in.

Authentication: Who is this person and is he really who he claims to be?

Authorization: Is the logged in person authorized to perform this action or access this resource?

As suggested by James in a comment, I also agree that this can be implemented as a role or a claim. Look into claims with the Asp.Net Identity and I'm sure you'll find the solution much more elegant and flexible.

WJK
  • 683
  • 2
  • 6
  • 20