25

I'm using asp.net MVC and ASP.net Identity 2.0.

On my website Admin has option to ban user, and I would like when user is banned that he is automatically signed-out from website.

I know that I can sign-out current user by calling

AuthenticationManager.SignOut();

But is it possible to sign-out another user ? Or maybe shorter his session ? Or anything ?

I know I could make global filter on controllers prohibiting banned users from access but that filter would be ran against each user so I'm not quiet satisfied with that solution.

hyperN
  • 2,554
  • 7
  • 51
  • 90

2 Answers2

18

If you use the securitystampvalidator feature, when a user is banned just call: UpdateSecurityStamp(userId) to cause any existing login cookies to be invalid the next time they are checked.

More info about SecurityStamp?

Community
  • 1
  • 1
Hao Kung
  • 27,702
  • 6
  • 82
  • 93
  • I've added that line of code in my project but user wasn't logged out, can you explain me bit further how should I use it ? – hyperN Sep 16 '14 at 23:11
  • 8
    It doesn't log the user out immediately, there's the validateInterval on the security stamp which you need to configure for how often the cookie is validated. – Hao Kung Sep 17 '14 at 18:50
16

You'll need to configure cookie invalidation in Auth.Config.cs:

public void ConfigureAuth(IAppBuilder app)
{
    // important to register UserManager creation delegate. Won't work without it
    app.CreatePerOwinContext(UserManager.Create);

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity = SecurityStampValidator
                .OnValidateIdentity<UserManager, ApplicationUser, int>(
                    validateInterval: TimeSpan.FromMinutes(10),
                    regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager))
        },
        // other configurations
    });

    // other stuff
}

and then update security stamp as Hao Kung says when users are banned.

I've blogged about this recently

trailmax
  • 32,740
  • 21
  • 133
  • 228
  • app.CreatePerOwinContext(UserManager.Create) - do the trick for me. I am using autofac, so in my case it looks like this: app.CreatePerOwinContext(() => DependencyResolver.Current.GetService()); app.CreatePerOwinContext(() => DependencyResolver.Current.GetService>()); Where Db is DbContext and User is a class that is derived from IdentityUser – Sergey Nov 20 '14 at 13:04
  • I don't quite understand this. I am using the standard template, so it generates `app.CreatePerOwinContext(ApplicationUserManager.Create);` which I guess it is the same with `app.CreatePerOwinContext(UserManager.Create);`? It doesn't work in my case :( – Sam Aug 26 '20 at 02:13