Logging out a user's other sessions in ASP.NET MVC3 with Forms Authentication

Question

I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.

Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.

I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.

Answer 1

Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).

There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".

Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.

In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.

Answer 2

You could use the Membership.IsOnline property which is based on LastActivityDate:

A user is considered online if the current date and time minus the UserIsOnlineTimeWindow property value is earlier than the LastActivityDate for the user.