Open Closed

How to make user logout automatically once his status changed if he logged in already #3759


0
Merna created

Hello, I've separated applications in my project ,

Steps to reproduce the issue: 1-Create a user and login with his account 2-change from the administration area his status (deactivate or lock out this account ) ,but this user still can browse within his context and can do any request

How could I fix it to have instant response and stop this user immediately? Thanks in advance

Here is some information about my application

ABP Framework version: v5.1

UI type: MVC

DB provider: EF Core


5 Answer(s)
  • 0
    gterdem created
    Support Team

    Technically speaking, if you would be using a tiered application or a SPA that uses tokens for authentication; you could delete the user tokens.

    But in a non-tiered MVC application, you are basically trying to invalidate someone else's cookies. Even if you impersonate the user and sign out; it will be signed out from your browser, not his/her.

    I don't think it is possible without XSS.

    Or maybe I understand it wrong.

  • 0
    Merna created

    Hello , sorry for late response. I have created a new project using abp version 5.1 and create a small demo for this issue , https://jawda-my.sharepoint.com/:v:/g/personal/merna_jawda_net/EZrt105-FLpAhhg5rNKxW8gBgy0H1-oKd4RlVX9OfhImzQ?e=KFxQTK

    so my problem here is very simple : I want to prevent the created user with username (merna2) from requesting any page(log him out) once the admin deactivate or delete the account. so is there anyway to apply it.

  • 0
    Merna created

    Hello , Any Updates?!

  • 0
    gterdem created
    Support Team

    You can't do that. It is cookie authentication and you are trying to remove someone else's cookie.

  • 0
    maliming created
    Support Team

    hi

    There is a property UserSecurityStamp of IdentityUser and SecurityStampValidator.

    When the important properties of the user(username, email, password, etc) are changed, this value will change,

    You can set SecurityStampValidatorOptions.ValidationInterval Property to 3 second or other values.