Killing a remote application browser session from a new browser session.

Stephen Holdorf

I have to write ASP .NET code that allows for a user to only have one application session active at a time. What the code needs to do is logout an existing user, or session, if the same user logs into the same application in a different browser. In other words the new session should kill the old or existing session. Has anyone done this before? One note is that I am using Windows authentication and not Forms.

Richard Deeming

holdorf wrote:

One note is that I am using Windows authentication and not Forms.

It's almost impossible to sign out if you're using Windows authentication. In most cases, the only way to accomplish it is to restart the browser. One possible option:

• In a database, map the username to a Guid representing their "active session";
• In the "authorize request" event, check for the existence of a custom cookie:
  • If the cookie exists, verify that its value matches the user's "active session" value in the database, and allow or deny the request as required;
  • If the cookie doesn't exist, change the user's "active session" value in the database, and set a session cookie on the response with the new value;

Once a user has been kicked off by signing in on another browser or device, they will need to restart their browser to sign in again. NB: Certain browser settings may cause the browser to retain session cookies even after a restart, which would mean the user would have to manually clear the cookies for your site to sign in again. This affects both Chrome[^] and Firefox[^], and possibly others.

---

"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer