Geek Answers Handbook

ASP ASPAAUTH authentication cookie is not cleared upon logout / logout

I use ASP authentication and an integrated web service.

The user is logged in with authentication forms on the login page.
To log out, I call the authentication web service from Silverlight and log out.

Everything worked fine, but now IE is going crazy and is no longer logging out.

I used Fiddler, and it turned out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie, but the next IE call still has a set of cookies.
Thus, because the cookie exists, the user is authenticated and written back, and not on the login page.

I checked and did not see another description of the problem. I can’t reproduce it, and my colleagues, who have an erroneous IE, work fine in one environment and not on another (one has a problem for DEV and the other has a problem for PreProd server).

Any idea what could happen?

+6
authentication internet-explorer cookies
source share
3 answers

I had this problem, and to make sure the user is logged out, now I use the following code snippet:

FormsAuthentication.SignOut(); // Drop all the information held in the session Session.Clear(); Session.Abandon(); // clear authentication cookie HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, ""); cookie1.Expires = DateTime.Now.AddYears(-1); Response.Cookies.Add(cookie1); // clear session cookie HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", ""); cookie2.Expires = DateTime.Now.AddYears(-1); Response.Cookies.Add(cookie2); // Redirect the user to the login page Response.Redirect("YourLoginPage.aspx", true);
+4
source share

To avoid this problem, the moment you create SignOut, the next call should be redirected (pageLogOut, true ); and discontinue any other actions until the redirect is complete The true parameter is very important.

After calling SignOut (), you must force the browser to clear the cookie, because if authentication again requests a cookie for any reason, the cookie gets more time to live and does not remove it from the browser, because you will request the SigntOut command.

So, after SignOut, redirect to the page - or make sure you clear the cookies to the browser and do not ask again for anything related to user authentication until the cookies are completely written to the browser.

I hope for this help.

+2
source share

The problem you are facing is probably related to the cookie domain. A cookie may be written on "." + FormsAuthentication.CookieDomain "." + FormsAuthentication.CookieDomain . I previously set cookies to the admin.example.com domain and saw that the cookie was added to . . In a dev environment, it is written to localhost

The solution I'm using is to add two cookies for each cookie and session cookie.

So, I am using the following solution:

  protected void SignOut(HttpContext Context) { FormsAuthentication.SignOut(); Context.Session.Abandon(); // clear authentication cookie Context.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName) { Path = FormsAuthentication.FormsCookiePath, Value = "", Domain = (Convert.ToString(FormsAuthentication.CookieDomain).Length > 0) ? Convert.ToString(FormsAuthentication.CookieDomain) : Context.Request.Url.Host, HttpOnly = true, Expires = DateTime.Now.AddYears(-1) }); Context.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName) { Path = FormsAuthentication.FormsCookiePath, Value = "", Domain = (Convert.ToString(FormsAuthentication.CookieDomain).Length > 0) ? "." + Convert.ToString(FormsAuthentication.CookieDomain) : "." + Context.Request.Url.Host, HttpOnly = true, Expires = DateTime.Now.AddYears(-1) }); // clear session cookie (not necessary for the current problem but recommended anyway) Context.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId") { Path = FormsAuthentication.FormsCookiePath, Value = "", Domain = (Convert.ToString(FormsAuthentication.CookieDomain).Length > 0) ? Convert.ToString(FormsAuthentication.CookieDomain) : Context.Request.Url.Host, HttpOnly = true, Expires = DateTime.Now.AddYears(-1) }); Context.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId") { Path = FormsAuthentication.FormsCookiePath, Value = "", Domain = (Convert.ToString(FormsAuthentication.CookieDomain).Length > 0) ? "." + Convert.ToString(FormsAuthentication.CookieDomain) : "." + Context.Request.Url.Host, HttpOnly = true, Expires = DateTime.Now.AddYears(-1) }); FormsAuthentication.RedirectToLoginPage(); }

The result of this call will add the following headers to the response

Location: /Login.aspx ReturnUrl = Default.aspx

Set-Cookie: **** =; expires = Tue, 12-Oct-1999 05:00:00 GMT; Path = /; HttpOnly

Set-Cookie: **** =; domain = admin.example.com; expires = Wed, 23-Apr-2014 18:04:58 GMT; Path = /; HttpOnly

Set-Cookie: **** =; domain = .admin.example.com; expires = Wed, 23-Apr-2014 18:04:58 GMT; Path = /; HttpOnly

Set-Cookie: ASP.NET_SessionId =; domain = admin.example.com expires = Wed, 23-Apr-2014 18:04:58 GMT; Path = /; HttpOnly

Set-Cookie: ASP.NET_SessionId =; domain = .admin.example.com expires = Wed, 23-Apr-2014 18:04:58 GMT; Path = /; HttpOnly

Where *** is the name of my cookie containing my encrypted authentication ticket value;

Note that the first Set-Cookie is most likely generated by a call to the FormsAuthentication.SignOut() method.

0
source share

More articles:


All Articles