ASP.NET Forms Authentication Cookie

Discussion in 'ASP .Net' started by tdavisjr, Mar 27, 2007.

  1. tdavisjr

    tdavisjr Guest

    Hi,

    Does anyone know how to force asp.net authentication to create a new
    session cookie after using the FormsAuthentication.SignOut() method.
    ASP.NET_SessionId is the name of the session cookie that is use,
    however, after logging out, the value of this session cookie remains
    the same and users may be able to hit the back button without my
    application prompting for another login. Please see the code snipped
    below to show you ways I am trying to remove this session cookie
    value:

    FormsAuthentication.SignOut()
    Session("ASP.NET_SessionId") = Nothing
    Session.Clear()
    Session.Abandon()

    Thanks
     
    tdavisjr, Mar 27, 2007
    #1
    1. Advertising

  2. tdavisjr

    tdavisjr Guest

    Yes, this is what a third-party security firm who is doing an ethical
    hack on our site is tell me. I can't reproduce this behavior in my
    browser; but they are using some tool to capture the session, save the
    session cookie, and then they are replaying back the session using the
    same session id and they say that they are able to access the secured
    pages after logout. I'm leaning towards not using cookies for session
    infomation if there are no other suggestions. Thanks for the response
    though, I've been stuck on this one for a while. Maybe this is by
    design, which someone hinted to me in another post.
     
    tdavisjr, Mar 27, 2007
    #2
    1. Advertising

  3. tdavisjr

    bruce barker Guest

    you can supply your own sessionid manager, which enfores whatever rules
    you want.

    -- bruce (sqlwork.com)

    tdavisjr wrote:
    > Hi,
    >
    > Does anyone know how to force asp.net authentication to create a new
    > session cookie after using the FormsAuthentication.SignOut() method.
    > ASP.NET_SessionId is the name of the session cookie that is use,
    > however, after logging out, the value of this session cookie remains
    > the same and users may be able to hit the back button without my
    > application prompting for another login. Please see the code snipped
    > below to show you ways I am trying to remove this session cookie
    > value:
    >
    > FormsAuthentication.SignOut()
    > Session("ASP.NET_SessionId") = Nothing
    > Session.Clear()
    > Session.Abandon()
    >
    > Thanks
    >
     
    bruce barker, Mar 27, 2007
    #3
  4. tdavisjr

    Bruno Piovan Guest

    Hi,
    when the user hits back, is he still allowed to navigate as an authenticated
    user?

    I have no problems using only SignOut method in my applications.

    Bruno

    "tdavisjr" <> wrote in message
    news:...
    > Hi,
    >
    > Does anyone know how to force asp.net authentication to create a new
    > session cookie after using the FormsAuthentication.SignOut() method.
    > ASP.NET_SessionId is the name of the session cookie that is use,
    > however, after logging out, the value of this session cookie remains
    > the same and users may be able to hit the back button without my
    > application prompting for another login. Please see the code snipped
    > below to show you ways I am trying to remove this session cookie
    > value:
    >
    > FormsAuthentication.SignOut()
    > Session("ASP.NET_SessionId") = Nothing
    > Session.Clear()
    > Session.Abandon()
    >
    > Thanks
    >
     
    Bruno Piovan, Mar 27, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Saunders
    Replies:
    1
    Views:
    702
    John Saunders
    Nov 18, 2003
  2. Eric
    Replies:
    2
    Views:
    1,542
    Tommy
    Feb 13, 2004
  3. rgouge

    Forms Authentication and Authentication Cookie

    rgouge, Jun 20, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    246
    Dominick Baier [DevelopMentor]
    Jun 20, 2005
  4. Eric
    Replies:
    2
    Views:
    605
  5. mike
    Replies:
    0
    Views:
    156
Loading...

Share This Page