FormsAuthentication.SignOut() and User.Identity

[Mark Olbert]

FormsAuthentication.SignOut() removes the authorization ticket from a user (and the user's roles), but does not change the user's
identity.

I need to be able to either revert the user to the "totally unauthenticated" state, or change his identity to a different state
after SignOut().

Unfortunately, calling SetAuthCookie() after SignOut() doesn't change the identity. It's as if once an identiy is assigned, you're
stuck with it for the entire session.

How can I do this?

- Mark

 

[Guest]

The HttpContext.User.Identity property is get / set:

[C#]
public IPrincipal User {get; set;}

This *should* mean that you can set it to either null or some neutral
Identity object.

Hope that helps.
Peter

 

[Mark Olbert]

Peter,

You got it in 1. Sometimes I wonder how programming got done before the internet...

Thanks!

- Mark

 

[Steven Cheng[MSFT]]

Hi Mark

As for the Forms Authentication, the current User Identity is attached
during the begining of each asp.net request (done in the
FormsAuthentication's HttpModule....), in ASP.NET 1.1 we need to manually
do this while asp.net 2.0 encapsulate this....

You can visit the following kb (discussing asp.net 1.1 forms
authentication/role based ...) to get a clear view on this:
http://support.microsoft.com/?id=311495

So the HttpContext.Current.User will remain there in during the ASP.NET
request's serverside lifecycle.... And for your scenario when you
explicitly use FormsAuthentication.SignOut to discard the current
authentication ticket, you can make a Response.Redirect call right after it
so as to let the client make a new request to the page (or any other
protected page....), this time the User won't be set since there is no
associated authenticated ticket....
BTW, the means Peter mentioned is also reasonable if you want the
HttpContext.User get cleared during the same request lifecycle (without
waiting until the sequential request...)

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| NNTP-Posting-Date: Thu, 12 Jan 2006 19:34:44 -0600
| From: Mark Olbert <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: FormsAuthentication.SignOut() and User.Identity
| Date: Thu, 12 Jan 2006 17:34:44 -0800
| Organization: Olbert & McHugh, LLC
| Reply-To: (e-mail address removed)
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 3.1/32.783
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 7
| X-Trace:
sv3-rQwhPjcWMTvsqwJo11Gf9zxzOujebWz+sLYwuvJ1H8BasdNexnDFZOeQ1Gswh+CYpkalXbft
f+BtmCk!SC3v5IQ/eQPITPjShe9OX747xXbbNSAAw62Qprk3lKk0VQpu5wJgOLLC/LdzkuSDb1+e
2A==
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:370523
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Peter,
|
| You got it in 1. Sometimes I wonder how programming got done before the
internet...
|
| Thanks!
|
| - Mark
|