1

I have a method for an administrator to change a user's password or email address/username manually.

However, if the user has been using the application and has an auth cookie, when the come back to the site, they'll still be authenticated with the application, even though their password has changed.

How can I force these users' cookies to be flagged as invalid, and force re-authentication when they load a new page?

Ron Brogan
  • 892
  • 1
  • 9
  • 25

1 Answers1

2

Best example I've seen has been an old SO post:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

Source: FormsAuthentication.SignOut() does not log the user out

UPDATE

Here's a starting point to add your logic as a filter for all users.

First, you need to create the custom action filter attribute:

public class CheckForLogoutAttribute : ActionFilterAttribute
{
    /// <summary>
    /// Called by the ASP.NET MVC framework before the action method executes.
    /// </summary>
    /// <param name="filterContext">The filter context.</param>
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        // filterContext.HttpContext may be needed for request/response
        // If using the global filter setup, be sure to confirm user is logged in first
    }
}

Then you can add this filter into specific controllers for each action in the controller or just for only specific actions.

[CheckForLogout] // You can add it to specific controller(s)
public class HomeController : Controller
{
    [CheckForLogout] // Or you can do it only on certain action(s)
    public ActionResult Index()
    {
        return View();
    }
}

Or, you can add to it to every request as a global filter. If you do this, be sure to add a check into your OnActionExecuting to verify the user is authenticated before your validation.

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new CheckForLogoutAttribute()); // Add for every request
    }
}
Community
  • 1
  • 1
Jason W
  • 13,026
  • 3
  • 31
  • 62
  • I don't see a reason this wouldn't work for the current user, however, I'm looking for an admin resetting the auth cookie of a different user that may or may not be logged on currently. Am I overlooking the solution here? – Ron Brogan Aug 24 '15 at 17:30
  • You'd need a flag in your database and ensure your app checks that user-level flag on every request (easy to add with a filter in MVC you can add either globally or in controllers/actions needed) that would run this code for the user on their next request signing them out. – Jason W Aug 24 '15 at 17:32
  • If you use database as your session store instead of inproc or state server, you might could kill the session of that user in the db. – Jason W Aug 24 '15 at 17:33
  • Alright, that makes sense. Adding a flag is trivial, how can I ensure that the flag is checked every time an [Authorize]'d method is called? I don't think I've never used a "filter" as you say. – Ron Brogan Aug 24 '15 at 18:44
  • 1
    This is assumes the app is an MVC app based on the question tags. You would extend the "ActionFilterAttribute" class to create a "custom action filter" (googling this has a lot of good examples) and override the "OnExecuting" method to put your logic checking the flag. Then you add the attribute to either the global filters in app_start's FilterConfig (or global.asax based on your project) or as an attribute to the controller or action. I will put an example in the answer. – Jason W Aug 24 '15 at 18:49
  • 1
    Just added the example to get you started. – Jason W Aug 24 '15 at 19:21