I have a web system developed in ASP.NET MVC 4.
One of the features is user management. A CRUD
of users.
My login
method is as follows:
[HttpPost]
public ActionResult Login(LoginViewModel loginViewModel)
{
if (_loginService == null)
_loginService = new LoginService();
var result = _loginService.Login(loginViewModel.User, loginViewModel.Password);
if (!result.Error)
{
var userData = JsonConvert.SerializeObject(result.User);
FormsAuthentication.SetAuthCookie(result.User.Id, false);
var ticket = new FormsAuthenticationTicket(1, result.Id, DateTime.Now, DateTime.Now.AddMinutes(9999), true, userData, FormsAuthentication.FormsCookiePath);
var encryptedCookie = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie) { Expires = DateTime.Now.AddHours(14) };
Response.Cookies.Add(cookie);
}
return new JsonResult
{
Data = result
};
}
Yes, it is in English even though the system will be maintained by several companies.
Finally, I try to return this method on the client side, with javascript.
As you can imagine, I use the [Authorize]
attribute in all Controller
where authentication is required.
Let's say I just logged into the system with user StackOverflow
. I am normally navigating until another user identified as DoMal
resolves to delete me from the system. Since I'm only deleting the user in the Delete
action, the StackOverflow
user will normally navigate the site even when it is deleted. Until, of course, the cookie expires. The problem is I want some way to end his session right away.
Is there a way to end the session only from StackOverflow
in IIS? Or force the cookie to expire?
The only thing I do not want to do is create an online user existence check on every action taken on the site.
Any ideas, suggestion?