Open Closed

After making User inactive, need to force him to log out #5239

OriAssurant created

Objective: I need to force the user to log out when I mark the user to Inactive in user management (from a different machine). The user immediately should be redirected to log out page expiring his session so he cannot log back in!

How can we do this?

5 Answer(s)
  • 0
    bbakermmc created

    What are you trying to prevent? Because the next action they take should trigger a permission check which would direct them away anyways.

    You could probably do something with signalR or the event bus: <a class="postlink" href=""> ... /Event-Bus</a>

  • 0
    OriAssurant created

    I want to force the user to logout. So that he cannot log in back!

  • 0
    bbakermmc created

    Again. Your explanation isnt valid for most web sites. I make a user inactive, he then tries to goto a another page on the site, he will be directed away, even if they try to edit a record it will come back as not valid. So again what are you really trying to prevent, seeing content. At some point the user will navigate away or session will close even if idle and the user comes back they wont be active. You want to force close a session/force a redirect, so you need to implement signlalR or the even listener.

  • 0
    alper created
    Support Team

    You can invalidate the target user's token. So basically you'll have a business logic or a property that's set on AbpUser. When the target user makes the first request after you set him as logged out, the token will not be validated. And the user will get an exception.

    If you like this approach check out the following link: Write custom token validator for JWT and throw exception in OnTokenValidated() event

    On the other hand you can set the LockoutEndDateUtc property on AbpUser entity. I am not sure it'll prevent the next request execution of the user. Test and see...

  • 0
    hra created


    Sorry to awaken this old thread - however it is the most sensible place to discuss the behavior of AspNetZero today.

    There is a comment above, "the next action they take should trigger a permission check which would direct them away" - this is incorrect as of version 10. I just tested this now - a user account (using Token auth) which is disabled by an admin while that user is logged in - will experience no redirects or errors. The "disabled" account will continue to function, fully authorised - until they voluntarily log out, or expire their token.

    Is this the intended behavior of ANZ today? If so, I feel it should be recorded as a bug, as an admin who "disables" a user account, intends to do so to prevent that user from accessing the system. If they need to call them up and ask "could you please log out so you cannot get back in?" then the system is flawed. Note: Requesting the browser to discard the token is likely an insecure solution - as a clever user could reinstate the token on their site

    So, 2 questions:

    1. Is it intended that "disabled" accounts require the effected user to invalidate their token (either through logout, or expiration)?
    2. If so, whats the recommended template code to fix this?
      1. note: the above suggestion - throwing an exception during token validation - or even returning false, generates a 302 on the client which doesnt explain this is a "user account disabled" scenario for my API clients (mobile apps)
    3. If there is a technical reason why this code should not be integrated into the base product (such as performance concerns) - please explain