FormsAuthentication.SignOut(); doesn't work...

Discussion in 'ASP .Net Security' started by mo, Oct 23, 2005.

  1. mo

    mo Guest

    my current project uses FormsAuthentocation.. I need a logoff page -

    may logo off page contains the following in the Page_Load:
    Session.Abandon();

    FormsAuthentication.SignOut();

    After 'logging off', HttpContext.Current.User.Identity.IsAuthenticated and
    Request.IsAuthenticated is still true and the user can still access pages
    that they should net be able to..

    What's up with this??? I've seen quite a few posts on the web, but no firm
    answer



    thanks!
     
    mo, Oct 23, 2005
    #1
    1. Advertising

  2. Hello mo,

    use a tool like www.fiddlertool.com to check if the cookie is really cleared...


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > my current project uses FormsAuthentocation.. I need a logoff page -
    >
    > may logo off page contains the following in the Page_Load:
    > Session.Abandon();
    >
    > FormsAuthentication.SignOut();
    >
    > After 'logging off',
    > HttpContext.Current.User.Identity.IsAuthenticated and
    > Request.IsAuthenticated is still true and the user can still access
    > pages that they should net be able to..
    >
    > What's up with this??? I've seen quite a few posts on the web, but no
    > firm answer
    >
    > thanks!
    >
     
    Dominick Baier [DevelopMentor], Oct 23, 2005
    #2
    1. Advertising

  3. mo

    mo Guest

    Hey - very nice tool! Thanks!!!

    that's exactly the problem, the cookie is not cleared. Therefore the user is
    still able to roam about the site - they are never logged off. Another
    strange thing is that if a user does log back on, it DOES reset the cookie.
    I am not using persistent cookies either...

    My login code is below:

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,
    Request.Form["username"],
    System.DateTime.Now,
    System.DateTime.Now.AddMinutes(30),
    false,
    userContextElement.OuterXml,
    FormsAuthentication.FormsCookiePath
    );

    // Encrypt the ticket.
    string encTicket = FormsAuthentication.Encrypt(ticket);

    // Create the cookie.
    Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
    encTicket));

    // Redirect to requested url...

    ???

    thanks,
    mo



    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello mo,
    >
    > use a tool like www.fiddlertool.com to check if the cookie is really
    > cleared...
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> my current project uses FormsAuthentocation.. I need a logoff page -
    >>
    >> may logo off page contains the following in the Page_Load:
    >> Session.Abandon();
    >>
    >> FormsAuthentication.SignOut();
    >>
    >> After 'logging off',
    >> HttpContext.Current.User.Identity.IsAuthenticated and
    >> Request.IsAuthenticated is still true and the user can still access
    >> pages that they should net be able to..
    >>
    >> What's up with this??? I've seen quite a few posts on the web, but no
    >> firm answer
    >>
    >> thanks!
    >>

    >
    >
     
    mo, Oct 23, 2005
    #3
  4. mo

    mo Guest

    Finally!

    I found that the 'path' is the culprit in the web.config.

    I changed from: 'path="~/" to: path="/" and now it works...

    Thanks for the tips on the tools Dominick .



    "mo" <> wrote in message
    news:...
    > my current project uses FormsAuthentocation.. I need a logoff page -
    >
    > may logo off page contains the following in the Page_Load:
    > Session.Abandon();
    >
    > FormsAuthentication.SignOut();
    >
    > After 'logging off', HttpContext.Current.User.Identity.IsAuthenticated
    > and Request.IsAuthenticated is still true and the user can still access
    > pages that they should net be able to..
    >
    > What's up with this??? I've seen quite a few posts on the web, but no firm
    > answer
    >
    >
    >
    > thanks!
    >
    >
     
    mo, Oct 24, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Johnson
    Replies:
    6
    Views:
    3,759
    tharadk
    Jul 24, 2009
  2. Ali
    Replies:
    1
    Views:
    344
    Egbert Nierop \(MVP for IIS\)
    Jan 29, 2004
  3. Ed West
    Replies:
    0
    Views:
    382
    Ed West
    Aug 23, 2004
  4. Signout does not signout.

    , Apr 4, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    472
  5. Ali
    Replies:
    1
    Views:
    118
    Keith
    Feb 1, 2004
Loading...

Share This Page