Signing out the user sessions from all the browsers

Question

Signing out the user sessions from all the browsers

Darwai, Nikhil 1

A user has logged into the application with the same username (email address) but on different browsers (ex. Chrome, Firefox). Now, the user changes the password on browser 1 and is logged out from browser 1 after the operation. But as its session is still active on browser 2, the user does not get signed out on any action resulting in a security vulnerability.
Now the requirement is to sign out the user's sessions from all the browsers if the user changes the password from one of the browsers. I am referring to the below links for the solution and have made the mentioned changes, but it looks like I am missing some configurations as the solution is not working as intended.
https://stackoverflow.com/questions/35221022/logout-user-from-all-browser-when-password-is-changed
https://stackoverflow.com/questions/36151800/asp-net-mvc-identity-securitystamp-signout-everywhere
Did I miss something or there is no such an out-of-the-box solution and I will have to implement my own custom logic to achieve this?

AgaveJoe 29,946 Reputation points

2022-09-19T10:44:30.603+00:00

You did not tell us how your security works! The links you've provided are for Identity. Did you add Identity to your application??? Also, what kind of application are you building? You tagged this post as web pages and fasttrack????

Cookie authentication is the standard method to cache the user's identity. The standard approach for invalidating the cookie is storing a GUID in the authentication cookie and the same GUID value the user account table. Simply change the GUID in the account table when the password changes. Each time the user makes a request compare the GUID in the cookie to the cookie in the table. IF the GUIDs do not match then logout the user.
Darwai, Nikhil 1 Reputation point

2022-09-22T06:52:14.917+00:00

@AgaveJoe @Lan Huang-MSFT Thanks for the approaches! I am going ahead with implementing the custom solution.

1 answer

Your answer

AgaveJoe 29,946 Reputation points

2022-09-19T10:44:30.603+00:00

You did not tell us how your security works! The links you've provided are for Identity. Did you add Identity to your application??? Also, what kind of application are you building? You tagged this post as web pages and fasttrack????

Cookie authentication is the standard method to cache the user's identity. The standard approach for invalidating the cookie is storing a GUID in the authentication cookie and the same GUID value the user account table. Simply change the GUID in the account table when the password changes. Each time the user makes a request compare the GUID in the cookie to the cookie in the table. IF the GUIDs do not match then logout the user.
Darwai, Nikhil 1 Reputation point

2022-09-22T06:52:14.917+00:00

@AgaveJoe @Lan Huang-MSFT Thanks for the approaches! I am going ahead with implementing the custom solution.

Answer 1

Lan Huang-MSFT 30,176 Microsoft External Staff

Hi @Darwai, Nikhil ,
You can try adding a guid parameter to the authentication parameter. At the same time, the guid is saved to the session table, and when logging in, a row is added to the table, and the guid is saved in the cookie. Use the user ID and GUID to check that user authentication is enabled. Log off by deleting rows with guid, or log off by deleting all rows with userID to close all sessions.
Best regards,
Lan Huang

Share via

Signing out the user sessions from all the browsers

1 answer

Your answer