locked
logout all other users browser login sessions except the one user resets his password RRS feed

  • Question

  • User-585144208 posted

    Hi

    I configured CookieAuthenticationOptions as below :

     app.UseCookieAuthentication(new CookieAuthenticationOptions
                {
                    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                    LoginPath = new PathString("/Account/Login"),
                    //ExpireTimeSpan = TimeSpan.FromHours(1),
                    SlidingExpiration = true,
    
                    Provider = new CookieAuthenticationProvider
                    {
                        // Enables the application to validate the security stamp when the user logs in.
                        // This is a security feature which is used when you change a password or add an external login to your account.  
                        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, int>(
                            validateInterval: TimeSpan.FromMinutes(1),
                            regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
                            getUserIdCallback: (id) => (id.GetUserId<int>())),
    
                    }
                });

    Whenever a user resets his/her password, his login in other browsers will be invalidated and user should try to login again. But I don`t want the user to login again in a browser he already changed password with, and only other browsers session get invalidated. Is it possible ? Or I should redirect user to login page ? 

    Saturday, November 10, 2018 12:52 PM

All replies

  • User475983607 posted

    I'm guessing the problem you are trying to solve is a user that has logged in with two different browsers.  If the user updates their password, then all cached auth cookies should be invalidated.

    The code shown above checks for invalid auth cookies every minute.  Since cookies are browser instance specific it only affects the current browser request and should work exactly as you requested.

    Is the problem the user is redirected to the login page after updating the password?  If so, just write code within the password update method to logout and login.  Just copy the code from your login 

    Otherwise, explain the problem you are trying to solve.  

    Saturday, November 10, 2018 1:47 PM
  • User-585144208 posted

    I think redirect user from the change password is a better solution.

    Thanks. 

    Saturday, November 10, 2018 1:49 PM