ASP.NET/IIS: Log out all users

Question

In an ASP.NET 3.5 application running on IIS, how do I force a "deauthentication" of all currently logged-in and authenticated users?

iisreset didn't seem to do the trick!

Answer 1

Changing the authentication form name will then require new authentication from all users.

From:

<authentication mode="Forms">
  <forms name="originalName" loginUrl="~/Account/Login"  />
</authentication>

To:

<authentication mode="Forms">
  <forms name="differentName" loginUrl="~/Account/Login"  />
</authentication>

Answer 2

ASP.NET authentication is designed to be resilient to an IISReset due to its use of cookies - performing an IISReset will clear any in-memory information, but the next time a user asks for a page on your site, they will send their authentication token, which (if it hasn't timed out) will still be valid, and the server will re-authenticate them.

You could write something that would effectively log out the user after a restart, by (for example) storing the application start time in a global variable in Application_Start, and then comparing the users LastActivityDate with that value - if it's before the start time, then you can call the appropriate sign-out method during Application_SessionStart or Application_BeginRequest.