CODEWITHSUNDEEP
c#asp.netasp.net-identityasp.net-identity-2
misha130
misha130

Reputation: 5706

Signout all users with the same username asp identity

I have recently implemented the asp identity system in to my website.

Now for the fact that I dont want my users to use accounts between themselves I want to log out people with the same username. I noticed that I have a AspNetUserLogins and theoretically I could just delete doubled items from there but its always empty.

Did I implement it badly? Is it supposed to be empty?Everything seems to work without a problem otherwise.

If it is supposed to be empty do I have to fill it manually?

Is AspNetUserClaims also supposed to be empty until I make a custom claim for it?

Any other ideas on how to implement this automatic sign out system?

Edit: Did some simple research and realized aspnetuserslogins is just for external logins. But what does actually keeps the logs of who is logged in?

Upvotes: 0

Views: 1500

Answers (1)

Shoaib Shakeel
Shoaib Shakeel

Reputation: 1547

You need to store a list of logged in users some place like in database or a file. And when a new user tries to login search previous records if a user with name name is already logged-in or not.

If a duplicate is found then just update SecurityStamp.

UserManager.UpdateSecurityStampAsync(userId);

So next time current users validate interval ends and SecurityStamp is found invalid, he will be autmatically signed-out. You can find validate interval in your idedntity configuration class.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    ExpireTimeSpan = System.TimeSpan.FromDays(30),
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    Provider = new CookieAuthenticationProvider
    {                           
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

And after calling above method just login new user and update your login record list.

NTOE This is a really bad practice to enforce such policies. Try to avoid it as much as possible. Even different browsers, or one browser with separate sessions, will be considered as duplicate sign-in.

Upvotes: 1

Related Questions