How to Logout user from a particular session Identity Server 4, .Net Core?

Question

Using Identity Serve 4 with .Net Core 3.1, razor pages. Also using Cookie Authentication

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)

Problem -

In a web application John logged-in 2 times

• 1st Login on Chrome
• 2nd Login on edge

So, if John again trying to logged-in on 3rd time on Firefox without logout from previous browsers, then I want to logout John from 1st Login on Chrome forcefully.

I can keep the track of logins in a Session table including Session Id, User Id etc. But I don’t know how logout user from a particular session using Session Id.

Please help.

Thanks

Answer 1

Since you're saying you can keep track of logins, perhaps you should keep track of each session and assign a number somewhere indicating when it was logged in (1 for Chrome, 2 for edge, 3 for Firefox).

Then each time a request is made, you check in your table what the lowest number is (1,2,3 etc), and if the session matches that number, you sign the user out from that session.

await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme);

Since each browser will have their own cookie, you can use the above method.

After signing someone out, the next login can be assigned 4, and if 2 makes a request you log that client out.....

Also see this: https://github.com/IdentityServer/IdentityServer4/issues/736

I have implemented this. When a user logs in, the session id (IUserSession.GetSessionIdAsync) is manually stored in our database. The previous value of this database field is used to create a logout_token which I send to my clients. You can have look at IdentityServer4.Infrastructure.BackChannelLogoutClient to figure out how to create the token and post. All this assumes you have backchannel logout implemented ofcourse.

Answer 2

Use the End Session Endpoint

The end session endpoint can be used to end a session and trigger a log out

In the log in process you will need to capture the id_token received from authentication and what user it belongs and store it on some dbo.table. You can use this same table to also keep track if a user has logged in more than once.

To log out a user or end a session you will need to pass the ID you saved as a query string parameter called id_token_hint in a GET call as shown below into:

GET /connect/endsession?id_token_hint={id_token}

For reference see the documentation here https://identityserver4.readthedocs.io/en/latest/endpoints/endsession.html#end-session-endpoint

Answer 3

ASP.NET Core provides an ITicketStore interface which allows you to get control of storing user sessions. Once you provide a class implementing this interface and register it, it will call your class when sessions are being created or verified which you can then store in a database however you like, including attaching arbitrary metadata like browser ID etc.

Now that you have user sessions in your database, you can separately query them and revoke as needed in other logic, including during logins. Since you now provide the session data, simply deleting the record effectively logs the user out from that session. Note that if you use any caching layer to reduce the store requests, you'd need to remove any cached copies as well.

Note that this is separate from IdentityServer and happens with ASP.NET Core itself.

This is a good tutorial that helped me implementing this in my app.

A sample of how it looks to register in Startup, where PersistentTicketStore is my implementation:

// Persistent ticket/cookie store to provide durable user sessions
services.AddSingleton<IUserSessionRepository, UserSessionRepository>();
services.AddSingleton<ITicketStore, PersistentTicketStore>();
services.AddOptions<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme)
    .Configure<ITicketStore>((options, store) => options.SessionStore = store);