As you figured out it is a limitation of ASP.NET forms authentication and there is almost nothing to do to invalidate other user sessions. The problem in this case is exacerbated due to the way the authentication ticket is created and maintained. When such a (APS.NET authentication) ticket is created it is only maintained in the cookie. No record or status about this ticket is maintained on the server side including information about expiry after a timeout. All such information is encoded into the ticket. Hence, so long as the user’s ticket is valid i.e. the timeout has not expired the ticket can be stolen and misused. Even restarting Internet Information Services or for that matter the computer can not invalidate the ticket. This issue discovered by Foundstone and reported to Microsoft, has been acknowledged and published by Microsoft in KB Article 900111.
As Microsoft stated if these requirements are met, you can protect your authentication token as much as possible:
- Use SSL by configuring the Web application in Microsoft Internet Information Services. This ensures the forms authentication feature will never issue a cookie over a non-SSL connection.
- Enforce TTL and use absolute expiration instead of sliding expiration.
- Use HttpOnly cookies to ensure that cookies cannot be accessed through client script, reducing the chances of replay attacks.
In the next major version we would like to change default ASP.NET Forms authentication to ASP.NET Identity (Owin) which offers some techniques how to solve the session scenarios.