Expire Forms Authentication Ticket on Server Side

R

ray

I am using the following code to log users out,

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Login.aspx")

The signout method is removing the forms authentication cookie from the
response headers that are sent back to the browser so the user is
forced to login again. However, my security group was able to take a
copy of the cookie and send it in a request to our server and was able
to gain entry up until the forms authentication ticket times out on its
own.

Is there any way to programatically expire the forms authentication
ticket on the server side? Or is there some configuration needed to
make sure this is done when the user is logged out? Any help is
appreciated.
 
D

Dominick Baier [DevelopMentor]

Hello ray,

i am afraid, no, this is not possible.

FormsAuth has no special logic on the server to "remember" a user, otherwise
it would not be scalable. As long as the FormsAuthModule can decrypt the
cookie, and it is in its validity time, the request is authentic.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

authentication ticket expiring too soon 2
Forms Authentication Ticket Reissue 1
Create Forms Authentication Ticket with MachineKeys 9
Create Forms Authentication Ticket with Machine Keys 1
Authentication Ticket Timeout 5
Forms Authentication Ticket Functionality With Windows Authentication 3
forms auth ticket expiration 2
Ticket disappears when browser is closed 3

Members online

Total: 22 (members: 1, guests: 21)
Robots: 493

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top