[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How to kill a user's session

Posted on 2012-09-06
Medium Priority
Last Modified: 2012-09-11
In an ASP.net application an user has logged in Machine1. The same user has logged in Machine2 as well. At that time, I would like to Logout the user From Machine1 and would like to clear the session from Machine1. How to achieve this?

It would be grateful if you provide any sample application/Code.

Please do help. Thanks in advance.
Question by:Easwaran Paramasivam
  • 3
  • 3
LVL 28

Expert Comment

by:Ryan McCauley
ID: 38374391
How are you storing the state of your application? I assume you mean that these two machines are physically separate and the user wouldn't legitimately use both at the same time.

I'd recommend storing the client workstation's name (or IP address, though this may not be reliable if they're behind a proxy) in the user table as part of the most recent login details. When they log in successfully, update this value to the current workstation they're on. Then, when they make a request in the application, confirm that the workstation they're currently on is the one is their most recent login - if it's not, give them a message that they've been logged on elsewhere and this session has ended (flushing the session state as necessary).

This way, the newly logged on session continues normally, while the existing session is terminated when the workstation name changes.
LVL 16

Author Comment

by:Easwaran Paramasivam
ID: 38375633
flushing the session state as necessary - how to achieve this?

while the existing session is terminated when the workstation name changes. - Could you please explain how this works.
LVL 28

Expert Comment

by:Ryan McCauley
ID: 38377124
To clear the session state, you can use Session.Abandon, as demonstrated here (there's a discussion about when it's appropriate to use it):


For your second question, you'd have to have the page_load of each web page check the user's machine name (a few options: http://forums.asp.net/t/821809.aspx) and send that to the server as part of an "authorization" request - if the computer name matches the one last used to log in the user account (according to the login table you're keeping), then let the session go ahead - if it doesn't match, clear the session and send them to a "you've been logged in somewhere else" page instead.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 16

Accepted Solution

Rose Babu earned 1000 total points
ID: 38377212

Here i have a sample working process for your situation. Just give a try on this.

1. create a session table to maintain the log-in user's session

ID, UserID, UserName, SessionID, LogDate, LogTime

2. In login page, get the user name and password along with the SessionID

string strSessionID = Session.SessionID;

Or you can create a random session id for thr user in codebehind.

3. validate and check the login details. if the login successful, then set the user's session with the strSessionID received.

Session["SessionID"] = strSessionID;

if needed set other session values like below
Session["UserName"] = UserName;
Session["UserID"] = UserID;

store the User's details in UserSession table
insert into UserSession(UserID, UserName, SessionID, LogDate, LogTime) values(UserID, UserName, SessionID, LogDate, LogTime)

4. Then in every page's page_load or page_init, validate the user's session (e.g., validate_user_session(Session["SessionID"], Session["UserID"], Session["UserName"])) by sending the session details.
If the session is not valid then clear the session and redirect the current page to login page.

5. if the user logged out then delete the session from the session table.

6. if the user logged in from another machine or browser then delete the existing session based on the UserID or UserName.
by doing like this, the previous session will be automatically cleared by the validate_user_session function in page_load or page_init

thus you can maintain a single session for a loging user.

You may also use the expiry datetime in the UserSession table, by setting this you can set the inactive time period.
validate_user_session function can be written to check the expiry date time, if the expiry datetime reached (user was inactive for some time period) then you can delete the user's session.
in every page's, the validate_user_session function should check the session and needed to update the expiry time.

Hope the points i mentioned will be more helpful to proceed.

If you are ok with this concept then try to implement it and test.
LVL 16

Author Comment

by:Easwaran Paramasivam
ID: 38382992
One user logs in very first time from a machine means, one session id will be created for him.

Once again he logs in from another machine means another session will be created. I would like to kill the First session. Not the current session. If I use Session.Abondon() I hope that current session will be killed not the old one.

How to achieve that. Please do describe. Thanks.
LVL 28

Assisted Solution

by:Ryan McCauley
Ryan McCauley earned 1000 total points
ID: 38383262
You'd use Session.Abandon in the "old" session the next time it tries to load a page. There's no way I'm aware of to kill a session remotely - like have the server terminate a session for you - but you can only have the client request that their session be terminated.

Based on what I understand your problem to be, the "old" session would realize it's not the current session anymore and request a Session.Abandon to clean itself up - you wouldn't request that from the new "current" session.

Does that make sense?
LVL 16

Author Closing Comment

by:Easwaran Paramasivam
ID: 38386325

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question