Forms Authentication Persistent Cookies Problem

Discussion in 'ASP .Net' started by Joey Powell, Dec 12, 2003.

  1. Joey Powell

    Joey Powell Guest

    Hello, I originally configured my application to use persistent
    cookies in error. Now, I need to find a way to disable those cookies.
    I have tried changing usernames and passwords for all of the users,
    but that doesn't help - they can still access our site using their old
    persistent cookies. How can I disable them and force the users to log
    in again?
     
    Joey Powell, Dec 12, 2003
    #1
    1. Advertising

  2. Hi Joey,

    Based on my research and experience, we have two solutions for this issue.

    1. Clean the cookies on the client side.

    2. Call the FormsAuthentication.SignOut Method.

    Please refer to the following URLs for the detailed information regarding
    this issue.

    FormsAuthentication.SignOut Method
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    frlrfSystemWebSecurityFormsAuthenticationClassSignOutTopic.asp
    "...
    This removes either durable or session cookies.
    ..."

    HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    Using C# .NET
    http://support.microsoft.com/default.aspx?scid=kb;en-us;301240

    HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    Using Visual Basic .NET
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157

    Does it answer your question? If I have misunderstood your concern, please
    feel free to let me know.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Dec 12, 2003
    #2
    1. Advertising

  3. Joey Powell

    Joey Powell Guest

    Jacob, I understand that. But neither of these solutions is practical,
    because I don't have access to the client machines. Doesn't it make
    sense to assume that asp.net would provide some way for me to control
    access to *my* application, and from *my* web server.

    If I want to "turn off" the user's access to my application, are you
    saying that I will have to travel hundreds of miles and visit dozens
    of machines to manually remove persistent cookies? If that is the case
    then I am the developer of a web application that I cannot control
    access to. This does not make any sense to me. Please advise.

    (Jacob Yang [MSFT]) wrote in message news:<7nd8#>...
    > Hi Joey,
    >
    > Based on my research and experience, we have two solutions for this issue.
    >
    > 1. Clean the cookies on the client side.
    >
    > 2. Call the FormsAuthentication.SignOut Method.
    >
    > Please refer to the following URLs for the detailed information regarding
    > this issue.
    >
    > FormsAuthentication.SignOut Method
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    > frlrfSystemWebSecurityFormsAuthenticationClassSignOutTopic.asp
    > "...
    > This removes either durable or session cookies.
    > .."
    >
    > HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    > Using C# .NET
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;301240
    >
    > HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    > Using Visual Basic .NET
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157
    >
    > Does it answer your question? If I have misunderstood your concern, please
    > feel free to let me know.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
     
    Joey Powell, Dec 12, 2003
    #3
  4. Hi Joey,

    Thank you for your update. It seems that there is some misunderstanding in
    this issue.

    As I understand, what you really want is:

    1. Disable the cookies so that the user cannot access the web page without
    login.

    2. You still want to use the persistent cookies feature in your web
    application.

    My meaning of my past post is not that you have to travel hundreds of miles
    and visit dozens of machines. I think that you can ask your customers to do
    it on the client side. I apologize for it if there is any misunderstanding.
    Since the two solutions in my past post are not practical to you, I have
    another solution for your reference. Please check the following articles
    carefully which I have mentioned in my past post:

    HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    Using C# .NET
    http://support.microsoft.com/default.aspx?scid=kb;en-us;301240

    HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    Using Visual Basic .NET
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157

    In the web.config file, we can find the following code:
    ...
    <authentication mode="Forms">
    <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
    protection="All" path="/" timeout="30" />
    </authentication>
    ...

    Please change the value of the "name" (name=".ASPXFORMSDEMO") and rebuild
    your web application. In addition, would you please tell me the value of
    the "timeout" on your side?

    If I have misunderstood your concern, please feel free to let me know.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Dec 15, 2003
    #4
  5. Joey Powell

    Joey Powell Guest

    Thanks guys for your help. I finally got it. I did not realize that I
    all I needed to do was change the name of the cookie!

    (Jacob Yang [MSFT]) wrote in message news:<>...
    > Hi Joey,
    >
    > Thank you for your update. It seems that there is some misunderstanding in
    > this issue.
    >
    > As I understand, what you really want is:
    >
    > 1. Disable the cookies so that the user cannot access the web page without
    > login.
    >
    > 2. You still want to use the persistent cookies feature in your web
    > application.
    >
    > My meaning of my past post is not that you have to travel hundreds of miles
    > and visit dozens of machines. I think that you can ask your customers to do
    > it on the client side. I apologize for it if there is any misunderstanding.
    > Since the two solutions in my past post are not practical to you, I have
    > another solution for your reference. Please check the following articles
    > carefully which I have mentioned in my past post:
    >
    > HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    > Using C# .NET
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;301240
    >
    > HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
    > Using Visual Basic .NET
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157
    >
    > In the web.config file, we can find the following code:
    > ..
    > <authentication mode="Forms">
    > <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
    > protection="All" path="/" timeout="30" />
    > </authentication>
    > ..
    >
    > Please change the value of the "name" (name=".ASPXFORMSDEMO") and rebuild
    > your web application. In addition, would you please tell me the value of
    > the "timeout" on your side?
    >
    > If I have misunderstood your concern, please feel free to let me know.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
     
    Joey Powell, Dec 26, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Max
    Replies:
    5
    Views:
    709
    John Saunders
    Jan 3, 2005
  2. Andy Fish
    Replies:
    3
    Views:
    6,609
    Fredrik Lindner
    Nov 6, 2003
  3. _Who
    Replies:
    7
    Views:
    2,775
  4. gk
    Replies:
    7
    Views:
    1,033
    Tom Anderson
    Oct 12, 2010
  5. Ben Ong
    Replies:
    0
    Views:
    144
    Ben Ong
    Feb 1, 2005
Loading...

Share This Page