proper way to logout and end a session


E. Kwong


I have a link on a site (say http://site1) that points to a small
application I wrote which is being hosted on a different site
(http://site2). The application consists of a login page
(site2/app/login.aspx) and a couple of other pages (say page2.aspx,
page3.aspx, etc...) and they are all in the same folder.. When people click
on that link, the login page is supposed to show in a new browser window.
And when people click the logout link inside the application, the
application will close this second browser window.

During testing, from the link on http://site1, I'm able to login the
application, get to the other pages (page2, page3, ...), and then logout.
The problem is that if I go back to the first browser window (http://site1)
immediately and click the link again, the application aborts with unhandled
errors in the new browser window. I'll keep getting this error unless I
close the first browser window, open a new one and re-access http://site1

The link on http://site1 is originally http://site2/app/page2.aspx . The
application aborts because in the page load event of page2.aspx, it is
looking for some session variable values which dont't exist since I did a
session.clear() upon the first logout. My question is: why did the
application skip the login page and go directly to page2?

The login page is already specified in the authentication section of

<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="login" protection="All" timeout="60"/>

Right now I've changed the link on http://site1 to
http://site2/Login.aspx?ReturnUrl=*pp/page2.aspx and the problem "goes
away". However; it's not a friendly URL and I definitely prefer the
original URL.

I really would like to know the proper way to logout and end a session to
avoid the situation described above. Any pointer greatly appreciated.

Using: .net 2.0



bruce barker

session and authentication are not linked. they are separate operations,
and clearing does not effect the other. also the authentication cookie
is separate from the session cookie. as the second site is opened from
the first, its cookies are not deleted by the browser when the window is
closed, so when the site is reopened, the authentication cookie is still
active (unless you delete the cookie before closing the page). the
session cookie is also still active, but session has been cleared.

you pages should always check for a valid session (a recycle can clear
session), and recreate if missing.

-- bruce (

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question