4

I am looking for a way to distroy the ASP.net membership session for a specific user. The reason I am doing this is as an admin I want to delete a user. This works fine, but if the user already has an active session, he is still marked as "online" until this session dies (I verify each time by using Current.User.Identity.IsAuthenticated).

How do I go about killing a session based on the user it's authorized as. This way when I do Memberships.DeleteUser(username) I can also do Sessions.KillByUser(username)

Thanks in advance

I ended up following their suggestion and using the following method, for anyone who has the same issue: http://www.chillaxen.com/2011/02/asp-net-force-a-user-offline-as-admin-destroy-a-session-by-username/

Anthony Greco
  • 2,885
  • 4
  • 27
  • 39
  • I believe if you use DeleteUser, it will logout the user ok, however this article doesn't agree with that http://stackoverflow.com/questions/1909234/log-out-asp-net-user-through-sql – PMC Feb 05 '11 at 10:47
  • Paul, I just tested it. It did not. I can check the database each time the user hits a page, but that is far from ideal. I'd rather be able to destroy the session then force calls to my database every time I want to check if a user is online (kills the point of sessions) – Anthony Greco Feb 05 '11 at 10:49

2 Answers2

1

How about adding a HttpModule which intercept PostAuthorizeRequest event: Check the users' credentials against a global list of IDs you want to "destroy". If there's a match, kill the users session.

Jakob Gade
  • 12,319
  • 15
  • 70
  • 118
0

As Jakob suggested Or you can try this... in the Global.asax check if the logged in user is in the 'List of user to be made Offline' then logout the user by forms authentication or deleting the cookie.

Nitin
  • 404
  • 5
  • 8
  • I ended up doing a variation of this using an application variable that holds a list of userId's, and when a request is made from an authorized user, I check against it logging them out as needed – Anthony Greco Feb 06 '11 at 10:57