Asp – abandon an InProc ASP.NET session from a session different than one making the request

asp.netsession-statesingle-sign-on

We have an application that does single sign-on using a centralized authentication server (CAS). We'd like to do single sign-out, such that if the user logs out of one application (say a front-end portal), the user is automatically signed out of all applications using the same single sign-on ticket.

The expectation would be that each application would register a sign-out hook (URL) with the CAS at the time of logon to that application. When the CAS receives the sign out request from one of the applications, it invokes the sign-out hook for all the application sharing the SSO ticket.

My question is this: is there a way to abandon an InProc session from a different session? I presume, since the HTTP request will be coming from the CAS server, that it will get its own session, but it is the session of the user that I want to terminate. I have pretty good idea of how to do this using a separate session state server, but I'd like to know if it is possible using InProc session state.

Best Solution

Haha, well... It looks like you can. I was wondering myself if there was any way to do this, turns out, there is.

When you use InProc, the InProcSessionStateStore (internal class) persist the session state in an internal (non public) cache. You can access this cache through reflection and remove the session state manually.

using System;
using System.Reflection;
using System.Web;

object obj = typeof(HttpRuntime).GetProperty("CacheInternal", 
    BindingFlags.NonPublic | BindingFlags.Static)
        .GetValue(null, null);

if (obj != null)
{
    MethodInfo remove = obj.GetType()
        .GetMethod("Remove", BindingFlags.NonPublic | BindingFlags.Instance, 
            Type.DefaultBinder, new Type[] { typeof(string) }, null);

    object proc = remove.Invoke(obj, new object[] { "j" + state.SessionID });
}

The end result is, that the next request will take on the same SessionID, but the HttpSessionState will be empty. You'll still get the Session_Start and Session_End events.

Related Question