4

I'm using the ASPNET Identity tables for my MVC 5 application. Each night we perform "maintenance" on our database. If we modify something under that user, I want to inactivate their current session so that the next action they perform in the web application will kick them back to the login screen. The authentication/authorization already is built into my application using AspNet.Identity. I just need a way to wake it up by setting a flag if it exists.

For example the ASPNETUsers table has an "Inactive" column, but that's too permanent. I'm looking for the "ThisGuyIsLoggedIn" column.

This was close to the same problem, but the answer was to manage it from within MVC, which is not an option.

forcefully log out a specific user among all online users

Community
  • 1
  • 1
Rafiki
  • 630
  • 1
  • 8
  • 22
  • 1
    One possible approach would be for the SQL server to make a call to your MVC App with the user ID, then your MVC app caches a list of users to refresh. Is that a possibility here? – stephen.vakil Jan 21 '16 at 21:16
  • Well the maintenance is done with a stored procedure. I wasn't aware that a SQL stored procedure could invoke anything in MVC. But if so then yes that would be a possibility. – Rafiki Jan 21 '16 at 21:17
  • 1
    There are multiple ways of making web requests from a SQL proc, depending on whether you have CLR integration enabled, etc.. Here is one: http://stackoverflow.com/questions/9422914/calling-an-mvc3-action-from-a-sql-clr-stored-procedure Here is another one: http://stackoverflow.com/questions/22067593/calling-an-api-from-sql-server-stored-procedure – stephen.vakil Jan 21 '16 at 21:23

2 Answers2

3

After playing with some of the columns I realized, you can change the SecurityStamp column which will invalidate the user and cause any authentication to fail. Just don't change it to NULL.

 UPDATE AspNetUsers
 SET SecurityStamp = NEWID()
 WHERE Id = @USER_ID
Rafiki
  • 630
  • 1
  • 8
  • 22
  • Further context around this answer, which seems to me to be the way to go, can be found here: http://stackoverflow.com/questions/19487322/what-is-asp-net-identitys-iusersecuritystampstoretuser-interface – Brendan Green Jan 21 '16 at 21:30
3

I would like to share this link, with a full description of how to force user logout.

https://tech.trailmax.info/2015/09/prevent-multiple-logins-in-asp-net-identity/

full project on github: https://github.com/shaahink/Prevent-Multiple-Login-ASPNETIdentity

If you need to reset the security stamp:

 var result = await UserManager.UpdateSecurityStampAsync(user.Id);

It's very nice solution to reset user stamp from admin panel.

Alexei Bondarev
  • 812
  • 7
  • 9