You obviously can't get any immediate results - it is the web, and the best you can do is invalidate their login token the next time they hit your server. In other words, they could sit on your web page for minutes or hours before hitting your web server again, but you can't do anything to them until they hit your web server.
When they do hit your web server, you need a mechanism by which you can detect that the user should get logged out. Obviously this requires some central list of users-to-be-logged-out.
If you have (or may have) a web server farm, then this list will probably need to be in your database. If you only have (and only ever have one web server) you could use the ASP.NET Application object to store the list.
Either way, in your global.asax code, before re-establishing the user's principal from Session (or where ever you keep it), you need to check this list to see if the user is on it. Since this will happen on every page request, make sure your list can be hit quickly.
If the user is on the list, remove them from the list, call your Logout() method on your principal object and invalidate the ASP.NET security token, then do a redirect to some safe page (like the login page perhaps, or a page explaining to the poor user what just happened to them and why the data they just entered on the page they are posting has now been lost and who they should call to express their frustration ![Wink [;)]](/emoticons/emotion-5.gif)
).
Copyright (c) Marimer LLC