How do I make MVC to sign out a logged in user?

Question

I understand that when a user logs in to MVC webapp (when runtime executes FormsAuthentication.SignIn(..)), that user receiver a cookie and continues to work with the site with that cookie.

However the user can login again, from incognito window or another PC and get access to the site from both places simultaneously. I would like to prevent him from doing that.

I believe that the solution of this issue lies somewhere close, however nethier googling nor digging into MVC Forms Authentication classes provided me nothing I could work with.

So how do I forcibly sign off the last user login info (I believe it is a cookie stored inside a web server, I might be wrong) when that user successefully attempts to login in somewhere new place?

Answer 1

The only way you can do that, is by storing the user login in information in a table. So when the user tries to log in again, you can verify weather he is logged in some where else by quering the table. Once the user logs out, delete rows from the table.

Remember you would not be able to do anything with the help of cookies. Cookies will just contain form authentication ticket, which would be used by authentication module to verify whether the coming request is authenticated or not. And since the calls are stateless you can not decided anything just by looking at the cookie

Answer 2

You need to implement

Application_AuthenticateRequest

in your global.asax file an validate that the user identity is still correct. e.g. you need to keep track of all session related to the user and which clients he used. You can then respond with a cookie reset in the mentioned method, if you want to sign out the user.