Forcibly logging out a user

How does one forcibly log out a user?
Scenario: We sometimes need to lock an account. Locking an account in the back office prevents the user from logging in again, but if they are already logged in, they can still access the website.

Litium version: 6.3.7

I don’t think you can affect a session from outside, but you could write an ActionFilterAttribute that checks if the current user is locked out and then log it out. By adding it to the LitiumController it will be checked for each request.

Something like:

public class RevokeLoginFilterAttribute : ActionFilterAttribute
{
	public override void OnActionExecuting(ActionExecutingContext filterContext)
	{
		if (!SecurityToken.CurrentSecurityToken.IsAnonymousUser)
		{
			var person = SecurityToken.CurrentSecurityToken.Person;

			if (person.LoginCredential.LockoutEnabled
				&& person.LoginCredential.LockoutEndDate > DateTimeOffset.UtcNow)
			{
				IoC.Resolve<AuthenticationService>().SignOut();
			}
		}

		base.OnActionExecuting(filterContext);
	}
}
1 Like

Yeah I figured as much. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.