log out a user logged in from different browsers/machines using forms authentication

StackOverflow https://stackoverflow.com/questions/14233795

Question

Consider the case of forms authentication with persistent cookies.

If the same user logged in using two different browsers or two different machines, when user logs out from one of the browser/machine, wouldn't still he be able to login from the other browser/machine?

Usually, how do web applications handle this case?

Was it helpful?

Solution 3

Forms Authentication with cookies (regardless of whether they are persistent or not) is browser session based (persistent cookie would of course work across multiple sessions of same browser (on same user account on same machine). So two browser sessions (or two different browsers or browser on two machines etc) would be treated as different scope as far forms authentication is concerned.

So user can make multiple login from different browser sessions and logout in one will not affect other. Its is up to web application whether to allow multiple concurrent logins for same user or not. For example, online banking sites would restrict to only one user session - so if user logs in from different session then earlier session is invalidated (i.e. user is logged out). One has to write custom implementation in ASP.NET to do so - typical implementation would make every user session entry into database (typically required for audit purposes anyway) - so whenever new entry is added, a check is made to see if there is any active session for same user and if yes then that session is marked inactive. Every request would check if current user session is active or not, if not then it would flag such message to user.

OTHER TIPS

I have to agree with Srinivas for the most part. Here is my take on the subject

  1. On Login create an HTTP Only cookie with a guid generated at login this will be your browser/computer key. Closing browser will remove cookie
  2. Get user id
  3. Persist in the pair in user table ex: user:a, key:12345
  4. On subsequent requests authentication algorithm after user has been authenticated
  5. Get the last used key in the db with current user id
  6. Check that the cookie is present, if not then completely unauthenticate
  7. Check that the cookie value is the same as that in the database, if not then completely unauthenticate

With this method any subsequent login will cause a required reauthentication & invalidate any other authentications. In effect forcing the user to use only 1 browser/computer

I usually do it this way : I have a session column in my user table(in database) When the user logs in I store the value Y in it.I change it to N when he logs out.Every time the user tries to log in, I check the value in the corresponding session column and if it is Y I tell the user that he is already logged in and if it is N then I allow the user to log in. But we have to be careful and set the value to N when the user logs out or closes the browser.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top