How to sign out other user in ASP.NET Core Identity

Question

How can i sign out another user (not the currently logged one) in ASP.NET Core Identity.

I know there is a SignOutAsync() method in SignInManager, but there seems to be no override accepting user as argument. I'm looking for something like:

signInManager.SignOutAsync(user);

Have you tried invalidating the Security stamp of the target user. This should invalide his/her session on his/here next http request. — Matteo Marciano - MSCP, Jan 13 '17 at 07:54
Does the value of security stamp matter? Or just it should be different than previous security stamp? — Mariusz Jamro, Jan 13 '17 at 08:03

score 46 · Accepted Answer · edited May 21 '21 at 22:23

46

First update the security stamp of that user:

await userManager.UpdateSecurityStampAsync(user)

Then that user won't be noticed the changes until the arrival of the SecurityStampValidationInterval. So set it to Zero for the immediate logout:

services.AddIdentity<User, Role>(identityOptions =>
{
   // enables immediate logout, after updating the user's stat.
   identityOptions.SecurityStampValidationInterval = TimeSpan.Zero;
}

Update: For ASP.NET Core Identity 2.x, 3.x, 5.x

services.Configure<SecurityStampValidatorOptions>(options =>
{
    // enables immediate logout, after updating the user's stat.
    options.ValidationInterval = TimeSpan.Zero;   
});

edited May 21 '21 at 22:23

Seagull

3,319
2
31
37

answered Feb 22 '17 at 10:52

VahidN

18,457
8
73
117

Does this solution apply to asp.net identity 2.0 and above? – vivek Feb 13 '18 at 09:22
Updated the answer for ASP.NET Core Identity 2.x. – VahidN Feb 13 '18 at 09:30
1

This `severely impact` is just `one` query to the DB. If that DB is not able to handle it, change it! – VahidN Feb 13 '18 at 14:31
3

Just to be correct here - Its more than `one` query - counting 5 extra queries on ASP.NET Core 2.X (AspNetUser, AspNetUserClaims, AspNetUserRoles,AspNetRoles, AspNetRoleClaims) – Ole K Feb 22 '18 at 16:28
5

AFAIK this will result for DB queries for user "changes" for every request of every user, and this will impact all requests to your webapp. – Dmitry Jun 27 '18 at 15:23
Suppose you have disabled a user. (s)he should be logged out immediately, otherwise wait for further damages from that user... – VahidN Jun 28 '18 at 04:12

Youngjae · Answer 2 · 2017-01-13T08:02:03.733

1

I think you might find some revoke functionality, which make sign out user forcefully. It is not easily implemented currently as the nature of stateless connection and token-based (or we can say claim-based) authentication.

A revoked user should be accessed to a token validation endpoint in order to check the token valid or not. Until then, (1) the user could be shown as a signed-in, or (2) we need to implement client(app or web) to access to the token endpoint very frequently till token expiration or revokation.

SignIn/Out is tighted to token-authorized user identity scope, so that the viable solution is to invalidate a token.

edited Jan 13 '17 at 08:02

answered Jan 13 '17 at 07:55

Youngjae

24,352
18
113
198

By token you mean "security stamp"? Something like: `IUserSecurityStampStore.SetSecurityStampAsync(newValue)` ? – Mariusz Jamro Jan 13 '17 at 08:00
1

Yes. check out two helpful posts please; http://stackoverflow.com/a/19505060/361100 http://stackoverflow.com/q/24570872/361100 – Youngjae Jan 13 '17 at 08:10

How to sign out other user in ASP.NET Core Identity

2 Answers2

Linked