Expire Forms Authentication Ticket on Server Side

Discussion in 'ASP .Net Security' started by ray, Aug 4, 2005.

  1. ray

    ray Guest

    I am using the following code to log users out,

    FormsAuthetication.SignOut()
    Session.Abandon()
    Response.Redirect("Login.aspx")

    The signout method is removing the forms authentication cookie from the
    response headers that are sent back to the browser so the user is
    forced to login again. However, my security group was able to take a
    copy of the cookie and send it in a request to our server and was able
    to gain entry up until the forms authentication ticket times out on its
    own.

    Is there any way to programatically expire the forms authentication
    ticket on the server side? Or is there some configuration needed to
    make sure this is done when the user is logged out? Any help is
    appreciated.
    ray, Aug 4, 2005
    #1
    1. Advertising

  2. Hello ray,

    i am afraid, no, this is not possible.

    FormsAuth has no special logic on the server to "remember" a user, otherwise
    it would not be scalable. As long as the FormsAuthModule can decrypt the
    cookie, and it is in its validity time, the request is authentic.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am using the following code to log users out,
    >
    > FormsAuthetication.SignOut()
    > Session.Abandon()
    > Response.Redirect("Login.aspx")
    > The signout method is removing the forms authentication cookie from
    > the response headers that are sent back to the browser so the user is
    > forced to login again. However, my security group was able to take a
    > copy of the cookie and send it in a request to our server and was able
    > to gain entry up until the forms authentication ticket times out on
    > its own.
    >
    > Is there any way to programatically expire the forms authentication
    > ticket on the server side? Or is there some configuration needed to
    > make sure this is done when the user is logged out? Any help is
    > appreciated.
    >
    Dominick Baier [DevelopMentor], Aug 4, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ali
    Replies:
    7
    Views:
    427
  2. Ali
    Replies:
    0
    Views:
    114
  3. Lauchlan M
    Replies:
    0
    Views:
    224
    Lauchlan M
    Oct 1, 2003
  4. jfer
    Replies:
    3
    Views:
    554
    Dominick Baier [DevelopMentor]
    Sep 16, 2005
  5. Tongass Park Neighborhood Association, Juneau Alas

    Cookies expire immediately, not when set to expire

    Tongass Park Neighborhood Association, Juneau Alas, Oct 1, 2009, in forum: ASP General
    Replies:
    2
    Views:
    1,198
    SQLDude
    Nov 24, 2009
Loading...

Share This Page