Sometimes you need to "log out other user sessions". To prevent cookie replay attacks or - a very common use case - log out other sessions when a user changes their password. ASP.NET does not have a built-in way of doing this, but there's a simple solution.
A FormsAuthenticationTicket
object has a built-in property called IssueDate
. So you can easily invalidate all forms auth tickets "older than date X". In our case, it would be "older than last password change"
You can, for example, read the IssueDate
property inside Application_AcquireRequestState
(in "global.asax") and if the date is "too old" (i.e. older that the user's last password change) log the user out.
Here's some code for you:
protected void Application_AcquireRequestState(object sender, EventArgs e) { //check if token should be invalidated if (User.Identity.IsAuthenticated) { var lastPswChange = GetPswChangeDate(User.Identity.Name); HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName]; FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); //psw changed since this auth-token has been issued if(authTicket.IssueDate < lastPswChange) { //log him out Logout(); Response.Redirect("~/User/Login"); return; } } } private void Logout() { Session.Abandon(); Session.Clear(); FormsAuthentication.SignOut(); }
You will have to implement the GetPswChangeDate
method yourself.
"Password change date" is just one example. You can have and other date saved in your database next to every user and set it explicitly to whatever value you'd like.