• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2670
  • Last Modified:

How to kill a user's session

In an ASP.net application an user has logged in Machine1. The same user has logged in Machine2 as well. At that time, I would like to Logout the user From Machine1 and would like to clear the session from Machine1. How to achieve this?

It would be grateful if you provide any sample application/Code.

Please do help. Thanks in advance.
Easwaran Paramasivam
Easwaran Paramasivam
  • 3
  • 3
2 Solutions
Ryan McCauleyData and Analytics ManagerCommented:
How are you storing the state of your application? I assume you mean that these two machines are physically separate and the user wouldn't legitimately use both at the same time.

I'd recommend storing the client workstation's name (or IP address, though this may not be reliable if they're behind a proxy) in the user table as part of the most recent login details. When they log in successfully, update this value to the current workstation they're on. Then, when they make a request in the application, confirm that the workstation they're currently on is the one is their most recent login - if it's not, give them a message that they've been logged on elsewhere and this session has ended (flushing the session state as necessary).

This way, the newly logged on session continues normally, while the existing session is terminated when the workstation name changes.
Easwaran ParamasivamAuthor Commented:
flushing the session state as necessary - how to achieve this?

while the existing session is terminated when the workstation name changes. - Could you please explain how this works.
Ryan McCauleyData and Analytics ManagerCommented:
To clear the session state, you can use Session.Abandon, as demonstrated here (there's a discussion about when it's appropriate to use it):


For your second question, you'd have to have the page_load of each web page check the user's machine name (a few options: http://forums.asp.net/t/821809.aspx) and send that to the server as part of an "authorization" request - if the computer name matches the one last used to log in the user account (according to the login table you're keeping), then let the session go ahead - if it doesn't match, clear the session and send them to a "you've been logged in somewhere else" page instead.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Rose BabuSenior Team ManagerCommented:

Here i have a sample working process for your situation. Just give a try on this.

1. create a session table to maintain the log-in user's session

ID, UserID, UserName, SessionID, LogDate, LogTime

2. In login page, get the user name and password along with the SessionID

string strSessionID = Session.SessionID;

Or you can create a random session id for thr user in codebehind.

3. validate and check the login details. if the login successful, then set the user's session with the strSessionID received.

Session["SessionID"] = strSessionID;

if needed set other session values like below
Session["UserName"] = UserName;
Session["UserID"] = UserID;

store the User's details in UserSession table
insert into UserSession(UserID, UserName, SessionID, LogDate, LogTime) values(UserID, UserName, SessionID, LogDate, LogTime)

4. Then in every page's page_load or page_init, validate the user's session (e.g., validate_user_session(Session["SessionID"], Session["UserID"], Session["UserName"])) by sending the session details.
If the session is not valid then clear the session and redirect the current page to login page.

5. if the user logged out then delete the session from the session table.

6. if the user logged in from another machine or browser then delete the existing session based on the UserID or UserName.
by doing like this, the previous session will be automatically cleared by the validate_user_session function in page_load or page_init

thus you can maintain a single session for a loging user.

You may also use the expiry datetime in the UserSession table, by setting this you can set the inactive time period.
validate_user_session function can be written to check the expiry date time, if the expiry datetime reached (user was inactive for some time period) then you can delete the user's session.
in every page's, the validate_user_session function should check the session and needed to update the expiry time.

Hope the points i mentioned will be more helpful to proceed.

If you are ok with this concept then try to implement it and test.
Easwaran ParamasivamAuthor Commented:
One user logs in very first time from a machine means, one session id will be created for him.

Once again he logs in from another machine means another session will be created. I would like to kill the First session. Not the current session. If I use Session.Abondon() I hope that current session will be killed not the old one.

How to achieve that. Please do describe. Thanks.
Ryan McCauleyData and Analytics ManagerCommented:
You'd use Session.Abandon in the "old" session the next time it tries to load a page. There's no way I'm aware of to kill a session remotely - like have the server terminate a session for you - but you can only have the client request that their session be terminated.

Based on what I understand your problem to be, the "old" session would realize it's not the current session anymore and request a Session.Abandon to clean itself up - you wouldn't request that from the new "current" session.

Does that make sense?
Easwaran ParamasivamAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now