How can I force a log out of all users for a website?

As Joe suggests, you could write an HttpModule to invalidate any cookies present before a given DateTime. If you put this in the config file, you could add / remove it when necessary. For example,

Web.config:

<appSettings>
  <add key="forcedLogout" value="30-Mar-2011 5:00 pm" />
</appSettings>

<httpModules>
  <add name="LogoutModule" type="MyAssembly.Security.LogoutModule, MyAssembly"/>
</httpModules>

HttpModule in MyAssembly.dll:

public class LogoutModule: IHttpModule
{
    #region IHttpModule Members
    void IHttpModule.Dispose() { }
    void IHttpModule.Init(HttpApplication context)
    {
        context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest);
    }
    #endregion


    /// <summary>
    /// Handle the authentication request and force logouts according to web.config
    /// </summary>
    /// <remarks>See "How To Implement IPrincipal" in MSDN</remarks>
    private void context_AuthenticateRequest(object sender, EventArgs e)
    {
        HttpApplication a = (HttpApplication)sender;
        HttpContext context = a.Context;

        // Extract the forms authentication cookie
        string cookieName = FormsAuthentication.FormsCookieName;
        HttpCookie authCookie = context.Request.Cookies[cookieName];
        DateTime? logoutTime = ConfigurationManager.AppSettings["forcedLogout"] as DateTime?;
        if (authCookie != null && logoutTime != null && authCookie.Expires < logoutTime.Value)
        {
            // Delete the auth cookie and let them start over.
            authCookie.Expires = DateTime.Now.AddDays(-1);
            context.Response.Cookies.Add(authCookie);
            context.Response.Redirect(FormsAuthentication.LoginUrl);
            context.Response.End();
        }
    }
}

Based off of @Bret's great answer. I handled some scenarios which allows the forced logout to occur after the user has logged in (on or after) the date specified in the config file (no need to calculate future expiration dates). I believe using his answer will result in user continuously being logged out if the cookies expiration is before the forced logout date. In addition, I am not sure how he was able to retrieve the cookie expiration using the cookie in the request. In my attempts I always received DateTime default value, as explained here: ASP.NET cookie expiration time is always 1/1/0001 12:00 AM

So the idea here is you would need to add the cookie creation DateTime to the principal (NOTE: the type should be nullable DateTime. This will allow handling if this change is made to a site already in use - as principal prior to this did not contain this extra field).

You setup the web.config as he did:

<configuration>
  <appSettings>
    <add key="forcedLogout" value="03-Feb-2021 10:46 pm" />
  </appSettings>
</configuration>

for adding the module to the web.config, you need to determine if you are using application pool integrated mode vs application pool classic mode:

  <system.webServer><!--for integrated mode-->
    <modules>
      <add name="ForceLogoutModule" type="AssemblyName.NameSpace.ForceLogoutModule", AssemblyName />
    </modules>
  </system.webServer>

  <system.web><!--for classic mode-->
     <httpModules>
      <add name="ForceLogoutModule" type="AssemblyName.NameSpace.ForceLogoutModule", AssemblyName />
    </httpModules>
  </system.web>

or you can add the module programmatically as so (in global.asax):

public static IHttpModule Module = new ForceLogoutModule();
public override void Init()
{
    base.Init();
    Module.Init(this);
}

Then your ForceLogout module (can be in same project):

public class ForceLogoutModule : IHttpModule
{
    #region IHttpModule Members
    void IHttpModule.Dispose() { }
    void IHttpModule.Init(HttpApplication context)
    {
        context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest);
    }
    #endregion


    /// <summary>
    /// Handle the authentication request and force logouts according to web.config
    /// </summary>
    /// <remarks>See "How To Implement IPrincipal" in MSDN</remarks>
    private void context_AuthenticateRequest(object sender, EventArgs e)
    {
        HttpContext context = ((HttpApplication)sender as HttpApplication).Context;
        JavaScriptSerializer serializer = new JavaScriptSerializer();
        string cookieName = FormsAuthentication.FormsCookieName;
        HttpCookie authCookie = context.Request.Cookies[cookieName];
        if (authCookie == null)
            return;
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
        CustomPrincipalSerializeModel principal = serializer.Deserialize<CustomPrincipalSerializeModel>(ticket.UserData);
        DateTime logoutTime;
        DateTime cookieCreation = ticket.IssueDate;

        if (!this.TryParseNullableToDate(ConfigurationManager.AppSettings["forcedLogout"], out logoutTime))
            return;


        if (!principal.Expiration.HasValue
            || (principal.Expiration.Value.ToLocalTime() > logoutTime && cookieCreation < logoutTime
            && DateTime.Now >= logoutTime.Date))
        {
            authCookie.Expires = DateTime.Now.AddDays(-1);
            context.Response.Cookies.Add(authCookie);
            context.Response.Redirect(FormsAuthentication.LoginUrl);
            context.Response.End();
        }
    }

    private bool TryParseNullableToDate(string value, out DateTime dateTime)
    {
        DateTime temp;
        if (string.IsNullOrWhiteSpace(value) || !DateTime.TryParse(value, out temp))
        {
            dateTime = DateTime.MinValue;
            return false;
        }

        dateTime = temp;
        return true;
    }
}