如何強制登出網站的所有用戶？

Question

我正在使用MySQL Connector/.NET，它的所有提供者都使用FormsAuthentication。

我需要所有用戶在某個時刻註銷。方法FormsAuthentication.SignOut()不能像我想要的那樣工作。

如何註銷所有網站用戶？

Answer 1

正如Joe所建議的那樣，您可以編寫一個HttpModule來使給定DateTime之前存在的任何Cookie無效。如果你把它放在配置文件中，你可以在必要時添加/刪除它。例如，

Web.config文件：

<appSettings> 
    <add key="forcedLogout" value="30-Mar-2011 5:00 pm" /> 
</appSettings> 

<httpModules> 
    <add name="LogoutModule" type="MyAssembly.Security.LogoutModule, MyAssembly"/> 
</httpModules> 

的HttpModule在MyAssembly.dll程序：

public class LogoutModule: IHttpModule 
{ 
    #region IHttpModule Members 
    void IHttpModule.Dispose() { } 
    void IHttpModule.Init(HttpApplication context) 
    { 
     context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest); 
    } 
    #endregion 


    /// <summary> 
    /// Handle the authentication request and force logouts according to web.config 
    /// </summary> 
    /// <remarks>See "How To Implement IPrincipal" in MSDN</remarks> 
    private void context_AuthenticateRequest(object sender, EventArgs e) 
    { 
     HttpApplication a = (HttpApplication)sender; 
     HttpContext context = a.Context; 

     // Extract the forms authentication cookie 
     string cookieName = FormsAuthentication.FormsCookieName; 
     HttpCookie authCookie = context.Request.Cookies[cookieName]; 
     DateTime? logoutTime = ConfigurationManager.AppSettings["forcedLogout"] as DateTime?; 
     if (authCookie != null && logoutTime != null && authCookie.Expires < logoutTime.Value) 
     { 
      // Delete the auth cookie and let them start over. 
      authCookie.Expires = DateTime.Now.AddDays(-1); 
      context.Response.Cookies.Add(authCookie); 
      context.Response.Redirect(FormsAuthentication.LoginUrl); 
      context.Response.End(); 
     } 
    } 
}