Reputation: 370
How to clear session when user is logged in but later deleted from the database
When a user is authenticated to a web application, a token in session will be stored. If the admin deletes the user in the back end when the user is still online. how to clear the user's session?
Upvotes: 3
Views: 2765
Answers (4)
Reputation: 54377
Short answer: you can't do this easily. Let the session expire, and the user won't be able to subsequently login.
Long answer: if this functionality is really important to you, then you will have to check the database with each request to ensure that the user hasn't been deleted since they logged in. This somewhat defeats the purpose of storing user information in session, although the call to the database can be a simple boolean check (i.e. "is the user still valid/active").
Can't I just remove the user's session? It doesn't appear to be possible to locate/manipulate a specific session even if you have the session ID in hand. Keys and storage are managed internally by implementations of SessionStateStoreProviderBase (InProcSessionStateStore, OutOfProcSessionStateStore, SqlSessionStateStore) and aren't intended to be manipulated by developers.
Upvotes: 2
Reputation: 15861
Based on session Timeout and SlidingExpiration property. (thanks for @chethan). after session time out, user forced to login again from MSDN SlidingExpiration
Sliding expiration resets the expiration time for a valid authentication cookie if a request is made and more than half of the timeout interval has elapsed. If the cookie expires, the user must re-authenticate. Setting the SlidingExpiration property to false can improve the security of an application by limiting the time for which an authentication cookie is valid, based on the configured timeout value.
system.web>
<sessionState timeout="x minutes"/>
...
</system.web>
or else you can use AuthorizeAttribute.AuthorizeCore MethodAuthorizeCore
Forms Authentication Guidelines
Upvotes: 0
Reputation: 4467
Do you need to clear the session or just prevent future access to authorised pages?
If you re-authenticate or check authorisation on each http server request then the user will effectively be logged out.
Upvotes: 0
Related Questions
- How to clear out session on log out
- Delete specific value from Session
- Clear Session in ASP .NET MVC 5?
- Clear session on Logout MVC 4
- How clear all session elements when user log out in ASP .NET MVC 5?
- MVC logout all active sessions after same user login
- Invalidate all other user sessions
- clear session on every first visit
- Session is not cleared even after RemoveAll
- asp.net mvc close previous session for same user