All geek questions in one place

ASP.net forms authentication - admin kills a single user session

We got a little strange question. Is there a way to programmatically force one user to "log out" when registering as another user (for example, as an administrator).

eg. The administrator at stackoverflow would decide that I should log out - click the button, and then I will be forced to log back in to my next SO request.

This is for a site that uses standard authentication based on which ASP.net is running.

+4
source share
1 answer

Since authenticated sessions are cookie dependent, they are not aware of each other.

Thus, you need to keep track of what registered users can be along with their roles. And do a check at the beginning of each request.

You start by tracking:

  • user A - the role 'admin' is registered. Create a string in db
  • A-role user 'manager' logs in, now you mark the line in step 1 as the expiration date and create a new line for the A-role user 'manager'
  • user A - the role 'admin' is trying to perform some actions. In the request start method, you check if this session is marked for expiration. If this is just logging out, delete the line in step 1 and redirect the login.
  • user A logs out, delete the user role command in the manager
+1
source

Source: https://habr.com/ru/post/1392020/

More articles:


All Articles