ASP.NET/IIS: Log out all users - c#

In an ASP.NET 3.5 application running on IIS, how do I force a "deauthentication" of all currently logged-in and authenticated users?
iisreset didn't seem to do the trick!

Changing the authentication form name will then require new authentication from all users.
From:
<authentication mode="Forms">
<forms name="originalName" loginUrl="~/Account/Login" />
</authentication>
To:
<authentication mode="Forms">
<forms name="differentName" loginUrl="~/Account/Login" />
</authentication>

ASP.NET authentication is designed to be resilient to an IISReset due to its use of cookies - performing an IISReset will clear any in-memory information, but the next time a user asks for a page on your site, they will send their authentication token, which (if it hasn't timed out) will still be valid, and the server will re-authenticate them.
You could write something that would effectively log out the user after a restart, by (for example) storing the application start time in a global variable in Application_Start, and then comparing the users LastActivityDate with that value - if it's before the start time, then you can call the appropriate sign-out method during Application_SessionStart or Application_BeginRequest.

Related

In windows authentication how to allow the users if subdomain(abc) is used in URL like http://abc.localhost/myweb/

In windows authentication without subdomain http://localhost/myweb/ its asking username/password after successful its displaying application page.
But when I ran with subdomain http://abc.localhost/myweb/
its not taking the login credentials, Its giving Unauthorized access error.
what changes I need to do to overcome this problem.
what I tried is:
in Web.config I changed allow users to * and deny users to ? but its not working
Its because the cookie is change and depended on the subdomain and domain - to make it keep the same cookie you have to define the domain parameter on the authentication lines and on cookie on web.config
The lines that you have to define it are...
<authentication mode="Forms">
<forms domain="domain.com" .... />
</authentication>
<roleManager domain="domain.com" >
.... other lines .....
</roleManager>
<httpCookies domain="domain.com" .... />
Setting up the correct domain with out subdomain you can have the same authenticated cookie on your subdomains
Other similar questions : Multiple applications using same login database logging each other out

Logout in one application cause logout in another one

I have two different web applications hosted in same server .
and in one application i have link to the second one .
If a user login in first application and click the link to second one ,
the user automatically login as i pass the login information through query string .
The Problem :
If the user click on logout button in any of these application , automatically loose session in the other one too
Why this happen ? How can i overcome this ?
I got the Issue , I have same domain name for both of these applications .
As it has same domain name the cookie and session ids are same . Hosted these applications with different domain names and the issue gone ..!
If you are using Forms Authentication you should change cookie name in web.config
<system.web>
<authentication mode="Forms">
<forms name=".SOMENAME" requireSSL="false" protection="All" loginUrl="~/Security/Login" timeout="2880" />
</authentication>
</system.web>

Session time out Logout Url ASP.Net

I have an issue with my ASP.Net web app built in 4.0 framework.
I have the below set in the web config -
<authentication mode="Forms">
<forms loginUrl="~/SignIn.aspx" protection="All" timeout="2880" path="/" />
</authentication>
when a user clicks my url he sees the login page.
Now the session timeout is set to the default session time out from IIS which is 20 minutes.
Now when the session expires I would like to force the user to redirect to Logout.aspx
How can I achieve this? I would like to redirect the user to Logout.aspx page once the session times out.
The short answer is to check HttpContext.Current.Session.IsNewSession on each page request to see if the user's session timed out and has started a new session. In the event that it is a new session, redirect the user to the page of your choosing.
If you're using MVC or even just want to see a more thorough explanation of session timeouts in action, check out http://tyronedavisjr.com/2008/11/23/detecting-session-timeouts-using-a-aspnet-mvc-action-filter/ for an example.

Timeout option for Simplemembership

Does simplemembership have an easy way to set a timeout to automatically log you out after a certain amount of time has passed while you've been inactive?
SimpleMembership doesn't provide a timeout you can configure, the authentication mechanism does.
If you are using FormsAuthentication, you can setup this timeout here:
<authentication mode="Forms">
<forms loginUrl="~/Login" timeout="20" slidingExpiration="true" />
</authentication>
In the example above the timeout is set to 20 minutes. This means that the authentication cookie (containing the authentication ticket) will expire after 20 minutes of inactivity once the user is authenticated.
The membership provider is responsible to validate the user credentials, among other responsibilities. However it is not responsible of "recognizing" subsequent request for authenticated users.
Please check this article so you have a better idea about what is happening behind the scene.

ASP.NET Authentication Questions

I use ASP.NET and ASP.NET Authentication.
I have a website with structure like:
ROOT
- CMS
- AdminCms
- web.conf*
- FORUM
- AdminForum
- web.conf*
- web.conf ***
Now in web.conf *** I use for CMS LOGIN PAGE
<authentication mode="Forms">
<forms loginUrl="~/Cms/AdminCms/Login.aspx" timeout="2880" />
</authentication>
My Questions:
How can I have another DEFAULT LOGIN PAGE for another folder? (if the user use for example FORUM).
Would be possible insert in web.conf* another
<authentication mode="Forms">
<forms loginUrl="~/Forum/AdminForum/Login.aspx" timeout="2880" />
</authentication>
Any ideas?
Based on my comment earlier - Forms authentication allows redirecting a user to different pages after a successful login. To enable this, the forms authentication keeps track of the original page a user came from in the ReturnUL request parameter to the login page.
In your case you could do something like this in the codebehind of your login page after a successful login:
string originalTarget = Request.Params["ReturnUrl"];
if(originalTarget != null)
{
if(originalTarget.Contains(#"/FORUM/")
Response.Redirect(someForumURL);
else
Response.Redirect(someCMSURL);
}
Edit: Here also a link to an article - Forms Authentication - Redirecting users to a Page other than Default.aspx
If you mark both the folders, CMD and Forum as an application in IIS, you can easily do this since both of them will be a separate application domain.

Categories

Resources