I found another post that shows that I can use
req.RemoveSession(); in a service to clear a users session but how can I do it outside of an authenticated request?
For instance my use case: an admin changes the role of a user. The user has already authenticated so they can use the app based on the role at the time of authentication. How do I invalidate that specific users session and make them re-authenticate?
It's generally not possible as you would need to know their generated SessionId which isn't mapped backed to the User Id or Username/Email.
So you would need to traverse the existing Sessions and each Session until you've found the one you're looking for, see Inspecting persisted User Sessions for an example. (Only possible in caches which supports querying keys, currently: Redis, OrmLite and In Memory cache providers).
Once you've found the Session you want to remove, you can remove it with the