How to kill a user's session

Posted on 2012-09-06
Last Modified: 2012-09-11
In an application an user has logged in Machine1. The same user has logged in Machine2 as well. At that time, I would like to Logout the user From Machine1 and would like to clear the session from Machine1. How to achieve this?

It would be grateful if you provide any sample application/Code.

Please do help. Thanks in advance.
Question by:Easwaran Paramasivam
    LVL 28

    Expert Comment

    by:Ryan McCauley
    How are you storing the state of your application? I assume you mean that these two machines are physically separate and the user wouldn't legitimately use both at the same time.

    I'd recommend storing the client workstation's name (or IP address, though this may not be reliable if they're behind a proxy) in the user table as part of the most recent login details. When they log in successfully, update this value to the current workstation they're on. Then, when they make a request in the application, confirm that the workstation they're currently on is the one is their most recent login - if it's not, give them a message that they've been logged on elsewhere and this session has ended (flushing the session state as necessary).

    This way, the newly logged on session continues normally, while the existing session is terminated when the workstation name changes.
    LVL 16

    Author Comment

    by:Easwaran Paramasivam
    flushing the session state as necessary - how to achieve this?

    while the existing session is terminated when the workstation name changes. - Could you please explain how this works.
    LVL 28

    Expert Comment

    by:Ryan McCauley
    To clear the session state, you can use Session.Abandon, as demonstrated here (there's a discussion about when it's appropriate to use it):

    For your second question, you'd have to have the page_load of each web page check the user's machine name (a few options: and send that to the server as part of an "authorization" request - if the computer name matches the one last used to log in the user account (according to the login table you're keeping), then let the session go ahead - if it doesn't match, clear the session and send them to a "you've been logged in somewhere else" page instead.
    LVL 16

    Accepted Solution


    Here i have a sample working process for your situation. Just give a try on this.

    1. create a session table to maintain the log-in user's session

    ID, UserID, UserName, SessionID, LogDate, LogTime

    2. In login page, get the user name and password along with the SessionID

    string strSessionID = Session.SessionID;

    Or you can create a random session id for thr user in codebehind.

    3. validate and check the login details. if the login successful, then set the user's session with the strSessionID received.

    Session["SessionID"] = strSessionID;

    if needed set other session values like below
    Session["UserName"] = UserName;
    Session["UserID"] = UserID;

    store the User's details in UserSession table
    insert into UserSession(UserID, UserName, SessionID, LogDate, LogTime) values(UserID, UserName, SessionID, LogDate, LogTime)

    4. Then in every page's page_load or page_init, validate the user's session (e.g., validate_user_session(Session["SessionID"], Session["UserID"], Session["UserName"])) by sending the session details.
    If the session is not valid then clear the session and redirect the current page to login page.

    5. if the user logged out then delete the session from the session table.

    6. if the user logged in from another machine or browser then delete the existing session based on the UserID or UserName.
    by doing like this, the previous session will be automatically cleared by the validate_user_session function in page_load or page_init

    thus you can maintain a single session for a loging user.

    You may also use the expiry datetime in the UserSession table, by setting this you can set the inactive time period.
    validate_user_session function can be written to check the expiry date time, if the expiry datetime reached (user was inactive for some time period) then you can delete the user's session.
    in every page's, the validate_user_session function should check the session and needed to update the expiry time.

    Hope the points i mentioned will be more helpful to proceed.

    If you are ok with this concept then try to implement it and test.
    LVL 16

    Author Comment

    by:Easwaran Paramasivam
    One user logs in very first time from a machine means, one session id will be created for him.

    Once again he logs in from another machine means another session will be created. I would like to kill the First session. Not the current session. If I use Session.Abondon() I hope that current session will be killed not the old one.

    How to achieve that. Please do describe. Thanks.
    LVL 28

    Assisted Solution

    by:Ryan McCauley
    You'd use Session.Abandon in the "old" session the next time it tries to load a page. There's no way I'm aware of to kill a session remotely - like have the server terminate a session for you - but you can only have the client request that their session be terminated.

    Based on what I understand your problem to be, the "old" session would realize it's not the current session anymore and request a Session.Abandon to clean itself up - you wouldn't request that from the new "current" session.

    Does that make sense?
    LVL 16

    Author Closing Comment

    by:Easwaran Paramasivam

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    If you have heard of RFC822 date formats, they can be quite a challenge in SQL Server. RFC822 is an Internet standard format for email message headers, including all dates within those headers. The RFC822 protocols are available in detail at:   ht…
    In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now