I'm using the ASPNET Identity tables for my MVC 5 application. Each night we perform "maintenance" on our database. If we modify something under that user, I want to inactivate their current session so that the next action they perform in the web application will kick them back to the login screen. The authentication/authorization already is built into my application using AspNet.Identity. I just need a way to wake it up by setting a flag if it exists.
For example the ASPNETUsers table has an "Inactive" column, but that's too permanent. I'm looking for the "ThisGuyIsLoggedIn" column.
This was close to the same problem, but the answer was to manage it from within MVC, which is not an option.
forcefully log out a specific user among all online users
After playing with some of the columns I realized, you can change the SecurityStamp column which will invalidate the user and cause any authentication to fail. Just don't change it to NULL.
UPDATE AspNetUsers
SET SecurityStamp = NEWID()
WHERE Id = #USER_ID
I would like to share this link, with a full description of how to force user logout.
https://tech.trailmax.info/2015/09/prevent-multiple-logins-in-asp-net-identity/
full project on github:
https://github.com/shaahink/Prevent-Multiple-Login-ASPNETIdentity
If you need to reset the security stamp:
var result = await UserManager.UpdateSecurityStampAsync(user.Id);
It's very nice solution to reset user stamp from admin panel.
Related
Note: This is likely a duplicate question but I couldn't search for a solution/suggestion for my use case, so if anyone can re-direct me, that would be appreciated.
Problem: I have a NextJS application that runs on Prisma ORM and MySQL database. I am using NextAuth for OAuth authentication for sign up and log in.
So far the application works just fine but I want to check whether a user is logging in for the first time and redirect them to a set up page whether they would input personal details in order to populate a table on the database, so that the app can form a dynamic page based on their newly added information.
On the database, there are the user table (populated by NextAuth immediately at login) and the profile table.
Under NextAuth, the user table is populated automatically with the account's user name and email etc. However, that is not a unique entry and NextJS getStaticPath requires a unique entry to generate a dynamic page. That's why I have created the profile table to allow users to add their custom username where the dynamic URL will be generated (e.g. localhost:3000/u/[slug])
Here's my question - I want to check that the user is first time logging in and send a form for them to fill out the necessary information to input data onto the profile table, otherwise they would go straight to their profile homepage. What is the best way to check that and to redirect them to that form page?
Do I do it at server side with getServerSideProps by checking that the id from user table is missing from the profile table and do a redirect? Or is there some method that's customarily used to implement this "initial set-up" procedure?
I'm trying to get the current logged (in my app) user in every winform of my app, but I don't know how to differentiate between multiple logged users in the app.
I have an ActiveUsers SQL Table with SessionID and UserID to identify a single user.
Also how can I close the session (delete the userid from the ActiveUsers table) if the app is terminated abnormally?
Any help?
Edit: The app is composed of several winforms and is intended to run in multiple Pcs at the same time. Users are created in the application and stored in SC_User table with UserID as PK. The ActiveUsers table has UserID as FK and SessionID as PK. What i want is to get the UserID of the user using the applicattion in any winform and use it to for example change the app language preference of the that user. For a single user i insert the UserID in the ActiveUsers when login and delete when logoff.
Keeping application-wide data is quite easy. All you have to do is add either a static (shared in vb.net) class or a singleton class to your project and store the application-wide data there. (Extra read: differences between singleton and static)
As for the second question, You don't really have a way to know if the client is closed without proper logout. What you do in these cases is implement a keep-alive mechanism.
A simple implementation would be to add another column to your session table to keep track off the time stamp when the logged in user was last active (usually a timer inside that static/singleton class will be in charge of updating this column every x time, and once the difference between this column and the current datetime is big enough, you can safely assume that the application is closed without proper logout.
You can even run a scheduled job on your sql server to delete the records on the session table where the application is closed without proper logout if you want to.
Is it possible to know the time and date users have logged in my application or do I need to store this information in my User's table myself? Just wondering if the Authentication procedure has any kind of logs already in place.
yes you have to store login information in separate table so you can make track of user login history.
there is no in built functionality provide by cakephp framework.
You are probably looking for sth like http://www.dereuromark.de/2010/09/17/keeping-track-of-usersguests/
Basically, a table where you trigger an update with each page visit (or with every x one for performance). the created timestamp for a specific session id will tell you when they logged in. last_page_url and clicked_from where they currently are and where they came from etc.
i want to create a user account using asp page in which only one user can login their account ,if that page is currently logged then no one can log in that page after log out only another user can log in that account
This may give you glimps, in database you may add a table UserLogin with two fields UserId, IsLogin. While loggin in any user check for islogin status if it returns true then dont allow user to login. If returns false then allow user to get login. After successful login switch islogin state true.
Hope I have understand your question.
Darshan Joshi's answer is one way to do it, and if you have a simple enough application it may be sufficient.
Depending on the specifics of your application, you might want to think about different angles.
For example: If more than one distinct page needs to only take one user at a time, I would think about creating a new table with a record for each of these pages. This way, you can set a page as logged-in/in-use using the user's unique ID when someone logs in or access the page. When the user logs out/leaves the page (or if their ASP Session expires- users do not always log out cleanly!) you can "unlock" the page again. Not only that, you might reduce database load by searching specifically for the page record rather than any user with a logged-in flag.
We are using Cakephp framework version 2.0.6
The site is "supposed" to allow an anonymous user to "add to cart."
We are using the session id (using cake's native session class) to store the anonymous user's information in a db table.
When the user goes to checkout, then we want to ask "are you a current member? If so, click yes to login or no to create an account."
ISSUE:
Regardless of what they choose, the user either then has to login, or create a new user/pass (and then login) which is causing cakephp to regenerate a session ID. This is making it impossible in the new session to grab what that user added to the cart when they were anonymous just 5 minutes prior. In other words, the anonymous user's session id changes between when they are anonymous and after they login/create-user, making it impossible to identify their cart post-login.
Is there a way to prevent cakephp from regenerating a session in this scenario, or a better way to accomplish what we are trying to do while still keeping our order flow (ie: anonymous being allow to add to cart, before login/create)?
It is this reason that shopping carts are more often than not stored in Cookies. That way you can easily retrieve the saved information post-authentication.
If you insist on using Sessions to store this data, consider setting your Security.level setting to 'low'. That should prevent CakePHP from regenerating the session ID.