ASP.net Identity 2.0 Sign-out another user

D

2

26

I'm using asp.net MVC and ASP.net Identity 2.0.

On my website Admin has option to ban user, and I would like when user is banned that he is automatically signed-out from website.

I know that I can sign-out current user by calling

AuthenticationManager.SignOut();

But is it possible to sign-out another user ? Or maybe shorter his session ? Or anything ?

I know I could make global filter on controllers prohibiting banned users from access but that filter would be ran against each user so I'm not quiet satisfied with that solution.

Docilu answered 16/9, 2014 at 20:52 Comment(1)

You should cache every ban user and then delete his cookie at the filter. – Toxoid 16/9, 2014 at 20:53

E

17

You'll need to configure cookie invalidation in Auth.Config.cs:

public void ConfigureAuth(IAppBuilder app)
{
    // important to register UserManager creation delegate. Won't work without it
    app.CreatePerOwinContext(UserManager.Create);

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity = SecurityStampValidator
                .OnValidateIdentity<UserManager, ApplicationUser, int>(
                    validateInterval: TimeSpan.FromMinutes(10),
                    regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager))
        },
        // other configurations
    });

    // other stuff
}

and then update security stamp as Hao Kung says when users are banned.

I've blogged about this recently

Eterne answered 17/9, 2014 at 9:52 Comment(4)

app.CreatePerOwinContext(UserManager.Create) - do the trick for me. I am using autofac, so in my case it looks like this: app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<Db>()); app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<Security.UserManager<User>>()); Where Db is DbContext and User is a class that is derived from IdentityUser – Hurdle 20/11, 2014 at 13:4

I don't quite understand this. I am using the standard template, so it generates app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); which I guess it is the same with app.CreatePerOwinContext(UserManager.Create);? It doesn't work in my case :( – Chlorobenzene 26/8, 2020 at 2:13

I use identity server 4 skurba but i think there is no such Middelware for .net core 6 and identity server 4 . – Gustatory 1/1, 2023 at 10:25

@Gustatory this answer is over 8 years old. At that time there was no .net Core, nevermind v6 of it. Of course it does not match your code. – Eterne 5/1, 2023 at 14:9

B

19

If you use the securitystampvalidator feature, when a user is banned just call: UpdateSecurityStamp(userId) to cause any existing login cookies to be invalid the next time they are checked.

More info about SecurityStamp?

Beware answered 16/9, 2014 at 21:15 Comment(2)

I've added that line of code in my project but user wasn't logged out, can you explain me bit further how should I use it ? – Docilu 16/9, 2014 at 23:11

It doesn't log the user out immediately, there's the validateInterval on the security stamp which you need to configure for how often the cookie is validated. – Beware 17/9, 2014 at 18:50

E

17