abp icon indicating copy to clipboard operation
abp copied to clipboard

Published 20 hours ago verified publisher icon abpframework

Force user to logout after change status to inactive

Open abdullahshaqaliah opened this issue 2 years ago • 1 comments

ABP Framework version:6.0.0

Hi

How I can force user to logout for all web clients after change active status to inactive???

abdullahshaqaliah avatar Dec 18 '22 07:12 abdullahshaqaliah

@maliming ???

abdullahshaqaliah avatar Dec 18 '22 17:12 abdullahshaqaliah

hi

You can consider adding a middleware and checking each request.

maliming avatar Dec 21 '22 01:12 maliming

Is changing SecurityStamp enough for invalidating the auth cookie?

muhlisatac avatar Jan 04 '23 10:01 muhlisatac

Does work using the cookie timeout for this approach?

MathiasKowoll avatar Jan 04 '23 14:01 MathiasKowoll

Is changing SecurityStamp enough for invalidating the auth cookie?

I already do that but it doesn't work for other web clients that already have tokens It is best to use middleware to check this, currently I am using redis cache to save users who need to be logged out. But I always save all the inactive users in redis because maybe the hacker already has a token that he can send by postman or other application and can access some resource because the token contains all the information of the user when the request is sent to any microservices also he doesn't need check each Request to check from database if the user is inactive to force him logout.

abdullahshaqaliah avatar Jan 04 '23 15:01 abdullahshaqaliah

hi

There is a sample that you can refer to.

https://github.com/abpframework/abp-samples/tree/master/ConcurrentLogin https://support.abp.io/QA/Questions/3047/Disable-concurrent-user-login

maliming avatar Jan 05 '23 02:01 maliming

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 25 '23 03:03 stale[bot]