How can I kill a specific session? Where are they stored?

Question

We are currently building an MVC4 web application that needs to implement soft of an "exclusive" login per user. That means, each user is allowed to only have one active session. If during that session another succesful login for the same user occurs from another browser or host, the old session needs to be killed.

In order to do so, I save the session ID when a user logs in. When another login occurs, I do have the list of all existing session ID's for this user (which should be only one). So I do have a session ID as a string that I want the web application to invalidate/kill/drop - but how and where can I do that? So I need to kill a session itself, not a session variable within it.

I tried to find something in System.Web.HttpContext.Current.Session, but as far as I can see, I can only access the current session (in the context of the current user and request), but how can I access all the other established sessions to this web application?

Thanks for your help!

Answer 1

You have to control the session on the server side. On the server side you have access to the session id assigned to each new session.

So, when the user logs in, you store the assigned session id in the users table. He gets this session id. In each request, you check if the session id is equals to the one stored on the database.

When the users issues another login, another session id is assigned by the server, right? You store this new session id on the user's table.

Afterwards, requests from the older session will be denied/redirected, since the session id is no longer valid. The old session id was replaced by the one of the last login.