Building a block user functionality: how to force user to logout or terminate their existing session

Question

I am working on an ASP.NET MVC website, it's an e-commerce website. I am using ASP.NET Identity.

I have added a new functionality to block users when they create spam advertisements. I have added a IsBlocked flag to user table and if the flag is set, that user can no longer login to website.

But if the user is already logged in and have a valid session/cookie, then they can continue using the website until they logout or their session is expired. Is it possible to invalidate their existing session (if any) when they are blocked?

score 1 · Answer 1 · answered Aug 21 '20 at 08:38

From here:

When you set IsBlocked update the SecurityStamp of the user as well via:

await userManager.UpdateSecurityStampAsync(user);

So the next time the SecurityStamp of the user is validated against the principal that results from the cookie the validation will fail and the user will be signed out.

You control the length of the interval the security stamp is validated via:

services.Configure<SecurityStampValidatorOptions>(options =>
{
    options.ValidationInterval = TimeSpan.FromMinutes(30); // 30 minutes is default
});

Be sure to call it after AddIdentity.

You could set the ValidationInterval to zero but that would cause a validation and consequentially a database request for every request the user is making.

Thanks a lot, i try this approach tomorrow – Hooman Bahreini Aug 21 '20 at 08:42 — Hooman Bahreini, Aug 21 '20 at 08:42

Building a block user functionality: how to force user to logout or terminate their existing session

1 Answers1