tags:

views:

331

answers:

2
+1  Q: 

Force a logged in user to re-login by invalidating his session

I have an ASP.NET MVC application running on IIS7. I use sessions to keep track of logged in users. There is a session named IsSignedIn. ("true" means this user is currently logged in).

I also have an administration page for my application.

Now, say user1 who is signed in already, must be suspended from using the service immediately. So I want to invalidate the session variables set for user1 from my administration page (this will force the user to sign in again).

Is there a way I can access/modify session variables set by each logged in user from my administration page?

+5  A: 

You can not change a session variable from another session.

One way to solve your problem is to store a list of logged in users in the Application-object, and then change the value in that variable. For this to work you must check at the top of each page that this user is in the list of logged in users.

As çağdaş commented on this answer, performance would probably be better if you store a list of users you want to log out in your application-variable. Then on the top of your page do something like this (pseudo, this actuall code snippet will not work)

if(Application["SuspendedUsers"].Contains(Session["UserID"]) {
  Session["IsSignedIn"] = false;
  Application["SuspendedUsers"].Remove(Session["UserID"]);
}
Espo  2009-10-21 18:34:53
Or store a list of suspended users, which would probably be smaller than the logged in users.
çağdaş  2009-10-21 18:40:39
The problem with that is that it implies that *anyone* not explicitly excluded is authenticated. My cousin Bob probably doesn't need access to your site.
David Lively  2009-10-21 18:43:52
+1. The Application object should work fine for this. The Cache Object will also work and allow a little more flexibility.
Steve Wortham  2009-10-21 18:47:31
@ztech My code goes in addition to the existing code that checks the session-variable, not instead of. That way Bob will not have access because his session["isLoggedIn"] is false.
Espo  2009-10-21 18:51:14
A: 

Where is your session state stored? If it's in SQL server, you should be able to invalidate it by updating the relevant row in the database. The standard session state server, however, doesn't appear to allow this.

Alternatively, check your database at the top of each relevant page to see if the user still has rights/is authenticated.

David Lively  2009-10-21 18:39:54

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?