A slightly odd question came through to us. Is there way to programatically cause a single user to be 'logged out' when logged in as another user (e.g. as an administrator).
e.g. An admin on stackoverflow would decide that I should be logged out - click a button and then I would be forced to log in again on my next SO request.
This is for a site using standard forms based authentication running ASP.net.
Because the authenticated sessions depend on the cookie, they don't know about each other.
So you need to track the logged in users may be along with their roles. And perform a check at the beginning of every request.
You start by tracking:
user A - role 'admin' logs in. Create a row in db
user A - role 'manager' logs in, now you mark the row in step 1 as expired, and create a new row for user A - role 'manager'
user A - role 'admin' attempts to perform some action. In the begin request method, you will verify if this session is marked for expiration. If it is simply logout, remove the row in step 1 and redirect to login.
user A clicks logout, remove user A - role 'manager' row
Related
In MVC5 asp.net - Is there a way to allow user login only if the user has a particular claim in the user database? I'd like to assign a "CanLogin" claim to users in my user database that are allowed to log in at any given time. By removing the "CanLogin" claim, I could effectively lock the users out of the system until further notice.
This would have to work for a first time login as well as cookie login at a later stage if the user has checked "remember my login".
Using authentication filter, you can check the identity.claims property to validate whatever claims are present in the context.
The claims must be added during the login process
Then you can check whether a particular user is enabled or not.
However, if the user database is self maintained, you can just set a disabled flag and then reject the login request, instead of returning such a claim.
The claims are used for Authorization to a particular functionality rather than Authentication to an app. A valid user will have certain claims which can tell what all the user is permitted to do.
I'm setting up Forms Authentication for the first time.
I am validating the username and password(hashed) against a local SQL database.
All of this is working fine in my logon.aspx file in a ValidateUser() function.
I am also allowing the logon criteria to be persistent so the user does not have to re-enter their credentials when they return to the page.
The problem is, when the previously logged in user returns to my site and the cookie/ticket is used my ValidateUser() function is not called, SO... if I have deactivated the user or changed the user's password the user still gets logged in.
I've considered doing this in Application_AuthorizeRequest or Application_PostAuthorizeRequest in Global.asax, but I would also like to set some session variables at the time I re-verify the credentials against the database and the session is not yet created when these are called for the first time when a user logs in.
Any advise would be greatly appreciated.
For first time when user authorized at that time create session for that user e.g Session["Username"] check session whenever he enters in any page if session is not present redirect him to login page, after that when he log out abandon that session.
So whenever he want to access next time he wants to login again.
I have a ASP.NET website where multiple users access the site using same user credentials. The site functions fine when used by single user, however when a second user with the same credentials logs in simultaneously and the first user performs any action (clicks any link, selects any dropdown etc.), the first user is redirected to the default/login page. I want both the users to access the site without any trouble.
Can any one comment on why this is happening and how this can be solved.
My guess for the reason of the behaviour would be the authentication method you are using. Probably when the first user logs in he gets a session ID that authorises him for the following requests.
When another user uses the same credentials to log in, different session ID is created for that user so the ID the first user has is not valid any more, and therefore he gets redirected to the login page.
Consider the case of forms authentication with persistent cookies.
If the same user logged in using two different browsers or two different machines, when user logs out from one of the browser/machine, wouldn't still he be able to login from the other browser/machine?
Usually, how do web applications handle this case?
I have to agree with Srinivas for the most part. Here is my take on the subject
On Login create an HTTP Only cookie with a guid generated at login this will be your browser/computer key. Closing browser will remove cookie
Get user id
Persist in the pair in user table ex: user:a, key:12345
On subsequent requests authentication algorithm after user has been authenticated
Get the last used key in the db with current user id
Check that the cookie is present, if not then completely unauthenticate
Check that the cookie value is the same as that in the database, if not then completely unauthenticate
With this method any subsequent login will cause a required reauthentication & invalidate any other authentications. In effect forcing the user to use only 1 browser/computer
I usually do it this way : I have a session column in my user table(in database) When the user logs in I store the value Y in it.I change it to N when he logs out.Every time the user tries to log in, I check the value in the corresponding session column and if it is Y I tell the user that he is already logged in and if it is N then I allow the user to log in. But we have to be careful and set the value to N when the user logs out or closes the browser.
Forms Authentication with cookies (regardless of whether they are persistent or not) is browser session based (persistent cookie would of course work across multiple sessions of same browser (on same user account on same machine). So two browser sessions (or two different browsers or browser on two machines etc) would be treated as different scope as far forms authentication is concerned.
So user can make multiple login from different browser sessions and logout in one will not affect other. Its is up to web application whether to allow multiple concurrent logins for same user or not. For example, online banking sites would restrict to only one user session - so if user logs in from different session then earlier session is invalidated (i.e. user is logged out). One has to write custom implementation in ASP.NET to do so - typical implementation would make every user session entry into database (typically required for audit purposes anyway) - so whenever new entry is added, a check is made to see if there is any active session for same user and if yes then that session is marked inactive. Every request would check if current user session is active or not, if not then it would flag such message to user.
I am aware of the mechanism for preventing multiple user logins: In asp.net site how to prevent multiple logins of same user id?. My scenario is different.
On my website, a single page checks if the user is logged in (default .NET membership provider). Once the user is authenticated, the page redirects them to a premium service on a third-party server. This means I can't use the above mechanism to check on each page the current session ID against a previously stored session ID.
On login, I need to end all previous sessions for the current user. All methods that I came across (e.g. FormsAuthentication.SignOut) only target current user. Is it possible to log out user by membership user name, so no two visitors to the site use the same user name?
You could create a table/custom membership field/static dictionary/etc that tracks a user's current session ID. When the user logs in, set that value to the current ID. Then, in your global.asax handle Application_AuthenticateRequest and check if the current session matches what you have stored. If not, perform the SignOut/redirect.