Invalidate another users session variables - asp.net

I'm thinking of a situation where an administrator makes some changes to another user in the system that happens to be logged in. Is there any programatic way to invalidate that specific users session variables and force them to be repopulated?
Use Case
Admin Edits Bobs preferences
Business Logic clears bobs preferences stored in session
Preferences saved to database
Thanks

One way is to clear the other user's session cookie.
The other way is to create your own SessionIDManager (derive from the built-in one). Then when the Validate method is called with the other user's session ID, you can return false.

Related

ASP.NET how to logout user all session when password is reset/change

As an Admin, I am able to reset password for all users. May I know how can I logout the particular users "all" sessions across all devices/PC when I reset his password?
Example:
1) User1 logged in to PC1, PC2 and PC3.
2) Admin reset/change password for User1.
3) System logout session in PC1, PC2 and PC3.
How can it be done in ASP.NET?
Thanks.
It is possible , Facebook,G mail are done that , But it is not simple
Use a flag in the database that checks users on Session_Start that invalidates their session if that flag is set. May not necessarily use a boolean, you can use a DateTime value and invalidate all sessions that started prior to that time. This could be done by checking a value stored in a cookie upon login.
check the below stackoverflow discussions i think it will help you
Check
I know this is an old issue, but I believe there is an easier method. This method does not provide the functionality of listing all of the active sessions. But it is a very simple and straightforward method of invalidating other sessions when changing password.
Add a column called SecurityStamp to your user table. If a user logs in and this column is not populated, populate with a random guid. Or you could pre-populate the entire table.
When the user logs in, add the value found in the table to a session variable. On every page load, check that their session variable matches what is in the database.
When a user changes their password, update the value in the database with a new random guid. Additionally update the session variable for the user who changed the password. You could also add a button that invalidates other sessions without having to change the password.
If the user was logged in from a different device, the session variable associated with that other device login will not have been updated. When they try to access any page, you will have checked that their session variable does not match the database and force them to logout.

Force reauthentication after user permissions have been changed

In my application I can change user permissions and roles in backend.
When a user is logged in and I remove a role of the user, the user can still access content which he actually is not permitted to access anymore, because he is missing the role. The changes take effect only when the user reauthenticates himself with logout/login.
So my question is, can I access the session of a logged in user (not me)? I know I can access my own session and destroy it which forces me to login again. But I want to get the session of any user who is logged in. Is this possible? I could not find any resources about that.
I use PdoSessionStorage with symfony2.1 and fosuserbundle.
Make your user class implement Symfony\Component\Security\Core\User\EquatableInterface.
If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.
You can get around this issue by following an approach similar to what I did:
When user logs in, store all permissions in session along with a checksum of those permissions.
Store the same checksum in a database, or on disk, against that user ID
Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.

Difference between JSP/ASP session object Sessions & website User Account Sessions? Are they different?

I was revising the concept of Session Objects in JSP & ASP.Net.
I was confused, 'when an actual Session Object is created?'
Until recently I thought it was created when a user logs into his account, But now I read in the books that its implicitly created when the user visits any page on your site.
So when is it actually created? And are JSP sessions different from Website User Account sessions?
If the latter is correct, Is a second new Session created when a user actually logs into his account, and the previous session destroyed?
eg: A shopping site may allow a user to select many items & 'Add to My Cart'. What happens to this data after he logs in. Is a new session created internally after destroying the initial one?
If this seems confusing, then you can just specify how Session is typically implemented in real-world systems (as I'm a student)? When is the session typically started? What data is stored in it? What is the typical timeout you set and why?
My research: JSP sessions are abstract concepts and User account sessions are implementation specific. Both are different
A session is typically implemented by
generating a unique token,
creating a Session object to hold session data and store it in a map, indexed by the unique token,
sending a session cookie containing this token to the browser.
Each time a request comes in from this browser, it contains the cookie, and the container can thus retrieved the appropriate session from its internal map of sessions.
So yes, a session can exist before a user is authenticated, or even without authentication at all. And when a user is authenticated, he keeps the same session. The only difference is that you typically add the user ID in the session, in order to associate the user with the session.
You could thus, for example, let aninymous users shopping and add items to their cart in the session, and only ask them to authenticate once they need to pay (to retrieve their stored account). Or you could let them add items to their cart, and never authenticate them at all.

Invalidate session of other user

I've made an asp.net site, which uses Session objects to store information for each logged in user. To check if a user is still logged in, I check if a certain object exists in the Session.
The system used Jasig CAS authentication, and the single sign on part works (as in: after the log in, the Session object of the user is set up correctly).
CAS also supports single sign out. The way this happens is that CAS calls a url on my site, with some parameters about the CAS session.
What I need to do now, is invalidate all Session objects for the specified user.
How can I, from a page on my site, invalid the Session object of a random other user? Is there a db I can clear, is it all in memory (I can look at web.config if I know what to look for)?
I've seen this question asked before, and most answers are "keep a global variable next to the Session global variable, and check that one too to see if the user should be logged out or not", but I don't like that solution...
Cheers!
The session is by design private to individual users. Therefore to abandon it, it has to be done by the user.
So you might have to use another a list & check that.
Ideally though, you shouldn't tie your authentication state to the session. Whether the user is authenticated or not should be independent. You can then choose to abandon the session by querying the authentication state. It also makes it easier to implement mechanisms like counting logged in users & ensuring login from only 1 location - should you require these.

MVC2 and Session Start Event

The Setup:
Account controller with the typical logon / logoff stuff that comes baked in from the template. Not much modification here on the logon page. Using a custom membership provider (SQL), but I don't think that is impacting what I am trying to do here.
The Requirements:
The client wants to handle licensing by limiting concurrent users and not by total users. So, after referencing this post here, I set out to make this work for what I need to do. And that is to track maximum and current users for each organization that has signed up for our application. No problem, just have an application("max") and application ("current") which are both hashtables with the key being the organization id and the value being current or max users for the organization. On Session_Start, I would increment the current users, check if it exceeds max and either a) redirect to an error page or b) let them go on with what they need to do. On Session_End, I would decrement the count.
The Problem:
When using formsService.signIn, what is actually stored in session? I cannot seem to gather any information about my session in the session_start except for the session ID. So, I cannot increment the correct number for user tracking. And I cannot add a variable to session as session_start will have already fired before I get the opportunity.
The notion that session is somehow connected with authentication is a myth. They are entirely independent of each other. Session can even be shared between multiple users if they happen to share their session key; that's why you never put security-sensitive info in session. Session can also expire while you're logged in. Likewise, your session is still active after logout unless you explicitly abandon it.
Session is more like a user-specific cache.
So you need to accept this fact and adapt to it. Look and see if the current user is authenticated during session start. You'll need to increment during logon as well, since the session will have already started. Etc.

Resources