26

How can i sign out another user (not the currently logged one) in ASP.NET Core Identity.

I know there is a SignOutAsync() method in SignInManager, but there seems to be no override accepting user as argument. I'm looking for something like:

signInManager.SignOutAsync(user);
Improve this question
2
  • 3
    Have you tried invalidating the Security stamp of the target user. This should invalide his/her session on his/here next http request. Commented Jan 13, 2017 at 7:54
  • Does the value of security stamp matter? Or just it should be different than previous security stamp? Commented Jan 13, 2017 at 8:03

2 Answers 2

Reset to default
50

First update the security stamp of that user:

await userManager.UpdateSecurityStampAsync(user)

Then that user won't be noticed the changes until the arrival of the SecurityStampValidationInterval. So set it to Zero for the immediate logout:

services.AddIdentity<User, Role>(identityOptions =>
{
   // enables immediate logout, after updating the user's stat.
   identityOptions.SecurityStampValidationInterval = TimeSpan.Zero;
}

Update: For ASP.NET Core Identity 2.x, 3.x, 5.x

services.Configure<SecurityStampValidatorOptions>(options =>
{
    // enables immediate logout, after updating the user's stat.
    options.ValidationInterval = TimeSpan.Zero;   
});
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Does this solution apply to asp.net identity 2.0 and above?
This severely impact is just one query to the DB. If that DB is not able to handle it, change it!
Just to be correct here - Its more than one query - counting 5 extra queries on ASP.NET Core 2.X (AspNetUser, AspNetUserClaims, AspNetUserRoles,AspNetRoles, AspNetRoleClaims)
AFAIK this will result for DB queries for user "changes" for every request of every user, and this will impact all requests to your webapp.
Suppose you have disabled a user. (s)he should be logged out immediately, otherwise wait for further damages from that user...
|
1

I think you might find some revoke functionality, which make sign out user forcefully. It is not easily implemented currently as the nature of stateless connection and token-based (or we can say claim-based) authentication.

A revoked user should be accessed to a token validation endpoint in order to check the token valid or not. Until then, (1) the user could be shown as a signed-in, or (2) we need to implement client(app or web) to access to the token endpoint very frequently till token expiration or revokation.

SignIn/Out is tighted to token-authorized user identity scope, so that the viable solution is to invalidate a token.

Improve this answer

2 Comments

By token you mean "security stamp"? Something like: IUserSecurityStampStore.SetSecurityStampAsync(newValue) ?
Yes. check out two helpful posts please; stackoverflow.com/a/19505060/361100 stackoverflow.com/q/24570872/361100

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.