Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Asp.Net Programmatically logout an ASP.NET user

Thread Rating:
  • 680 Vote(s) - 3.51 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
Programmatically logout an ASP.NET user

Offline shuddered438478


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Sep 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-23-2023, 08:34 AM
My app allows an admin to suspend/unsuspend user accounts. I do this with the following code:

MembershipUser user = Membership.GetUser(Guid.Parse(userId));
user.IsApproved = false;
Membership.UpdateUser(user);

The above works fine to suspend the user, but it does not revoke their session. Consequently, the suspended user can remain with access to the application as long as their session cookie remains. Any fix/
Reply

Offline tropical316


Member
*
Member
Posts: 0
Threads: 0
Joined: Oct 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-23-2023, 08:59 AM
If using forms authentication:

FormsAuthentication.SignOut();
Reply

Offline lithify312801


Member
*
Member
Posts: 0
Threads: 0
Joined: Apr 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-23-2023, 09:11 AM
There's no way to abandon a session from 'outside' the session. You would have to check the database on each page load, and if the account has been disabled, then signout. You could achieve this using a HttpModule too, which would make things a bit cleaner.

For example:

public class UserCheckModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
}

public void Dispose() {}

private void OnPreRequestHandlerExecute(object sender, EventArgs e)
{
// Get the user (though the method below is probably incorrect)
// The basic idea is to get the user record using a user key
// stored in the session (such as the user id).
MembershipUser user = Membership.GetUser(Guid.Parse(HttpContext.Current.Session["guid"]));

// Ensure user is valid
if (!user.IsApproved)
{
HttpContext.Current.Session.Abandon();
FormsAuthentication.SignOut();
HttpContext.Current.Response.Redirect("~/Login.aspx?AccountDisabled");
}
}
}

This isn't a complete example, and the method of retrieving the user using a key stored in the session will need to be adapted, but this should get you started. It will involve an extra database check on each page load to check that the user account is still active, but there's no other way of checking this information.
Reply

Offline mantologybcttsqmp


Member
*
Member
Posts: 0
Threads: 0
Joined: Jul 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
07-23-2023, 09:11 AM
On some common page, check for the account being valid, and if it's been revoked, call `Session.Abandon()`.

**Edit** (Just noticed this was still open.)

I know this works, because I do it.

On the master page, check the account status. That means *on every navigation* you have the chance to log them out.

**(Final) Edit**

Don't think of it as "I am terminating their session," think of it as "their session terminates itself."
Reply

Offline whine272


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Jul 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#5
07-23-2023, 09:11 AM
When you log out a user, it is also a good idea to overwrite the `FormsAuthenticationTicket`.

HttpContext context = HttpContext.Current;

//overwrite the authentication cookie
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, context.User.Identity.Name, DateTime.Now, DateTime.Now.AddDays(-1), false, Guid.NewGuid().ToString());
string encrypted_ticket = FormsAuthentication.Encrypt(ticket);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encrypted_ticket);
cookie.Expires = ticket.Expiration;
context.Response.Cookies.Add(cookie);

//clear all the sessions
context.Session.Abandon();

//sign out and go to the login page
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through