What I want to do is to limit a user ID to only being able to log in to one device at a time. For example, user ID "abc" logs in to their computer. User ID "abc" now tries to log in from their phone. What I want to happen is to kill the session on their computer.
I'm using Asp.net mvc identity membership and using SecurityStamp for this purpose. This is my code in Account/Login action:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
var user = UserManager.FindByEmail(model.Email);
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
await UserManager.UpdateSecurityStampAsync(user.Id);
According to the UpdateSecurityStampAsync
method doc says : Generate a new security stamp for a user, used for SignOutEverywhere functionality. But it doesn't work.
If you want to enable instant invalidation of cookies on other devices, then every request must hit the database to validate the cookie. To do that you need to configure cookie invalidation in Auth.Config.cs and set validateInterval to 0:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator
.OnValidateIdentity<UserManager, ApplicationUser>(
validateInterval: TimeSpan.FromSeconds(0),
regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With