ASP.NET Forms Authentication Cookie

[tdavisjr]

Hi,

Does anyone know how to force asp.net authentication to create a new
session cookie after using the FormsAuthentication.SignOut() method.
ASP.NET_SessionId is the name of the session cookie that is use,
however, after logging out, the value of this session cookie remains
the same and users may be able to hit the back button without my
application prompting for another login. Please see the code snipped
below to show you ways I am trying to remove this session cookie
value:

FormsAuthentication.SignOut()
Session("ASP.NET_SessionId") = Nothing
Session.Clear()
Session.Abandon()

Thanks

 

[tdavisjr]

Yes, this is what a third-party security firm who is doing an ethical
hack on our site is tell me. I can't reproduce this behavior in my
browser; but they are using some tool to capture the session, save the
session cookie, and then they are replaying back the session using the
same session id and they say that they are able to access the secured
pages after logout. I'm leaning towards not using cookies for session
infomation if there are no other suggestions. Thanks for the response
though, I've been stuck on this one for a while. Maybe this is by
design, which someone hinted to me in another post.

 

[bruce barker]

you can supply your own sessionid manager, which enfores whatever rules
you want.

-- bruce (sqlwork.com)

 

[Bruno Piovan]

Hi,
when the user hits back, is he still allowed to navigate as an authenticated
user?

I have no problems using only SignOut method in my applications.

Bruno