All geek questions in one place

FormsAuthentication.SignOut () does not work

I am developing a website with a secure part, that is, a folder called "PIP".

The login part is working fine, but when I click the logout button, the user is still known and will not be redirected to the login page if he touches the protected part.

Here is my web.config:

<system.web> <authentication mode="Forms"> <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"> </forms> </authentication> </system.web> <location path="PIP"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location>

My login page where the user is authenticated:

 FormsAuthentication.RedirectFromLoginPage(uid, false);

On the default.aspx page in the protected folder (PIP) there is a logout button, the code behind this button:

 FormsAuthentication.SignOut(); Response.Redirect("~/Default.aspx", true);

There is a link on the page "Default.aspx" that goes to ~ / PIP / Default.aspx, it should be redirected to the login page, but it is not. The session does not seem to be affected by the output.

I tried many options, manually deleting sessions. Session.Clear, Session.Abandon, but nothing works.

Hope you guys can point me in the right direction!

Thanks in advance.

+6
source share
4 answers

Do you have any other instances of IE open before, during, or after logging out? If not, you may find that the cookie still exists in the IE common cookie element.

Do you have an expiration date on your web pages? If not, the page may still be in the browser cache, and forms-based authentication on the server will not be called.

If you close your browser and try to access the protected resource again and must log in, then it is configured correctly .... The session cookie is not used as part of the forms authentication process, so you do not need to worry about it - FormsAuthentication.SignOut ( ) is the right way to do this.

In your Global.asax.cs application, add the following event handler — if you don't already have one — and set a breakpoint on it. If you hit a breakpoint for subsequent requests after you have called LogOff, you can crack the cookie and look at it. I suppose you will not hit this breakpoint because requests are served from the cache.

  protected void Application_BeginRequest(object sender, EventArgs e) {}

To crack a cookie:

  HttpRequest currentRequest = HttpContext.Current.Request; // Attempt to get the Forms Auth Cookie from the Request HttpCookie authenticationCookie = currentRequest.Cookies[FormsAuthentication.FormsCookieName]; if(authenticationCookie != null) { // Crack the Cookie open var formsAuthenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value); // breakpoint here to see the contents of the ticket. if (formsAuthenticationTicket.Expired) { } }

It's also worth trying this in Firefox or Chrome, as they seem to be better off getting rid of the cookie.

To disable caching, you can put the following on one of the pages:

  private static void SetImmediateExpiryOnResponse(HttpResponse response) { response.Cache.SetAllowResponseInBrowserHistory(false); response.Cache.SetCacheability(HttpCacheability.NoCache); response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); response.Cache.SetNoStore(); response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches); response.Expires = -1; response.ExpiresAbsolute = DateTime.Now.AddDays(-1); response.CacheControl = "no-cache"; }
+2
source

You need to cancel the session after exiting it.

 FormsAuthentication.SignOut(); Session.Abandon(); Response.Redirect("~/Default.aspx", true);
+3
source

Set expired cookies:

 HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName]; cookie.Expires = DateTime.Now.AddYears(-1); HttpContext.Current.Response.Cookies.Add(cookie);
+1
source

Using the LoginView control may solve your problem.

One of my websites has this configuration on web.config

 <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="Login.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/> </authentication>

Then, in my protected area, I created a new web.config with only a few lines:

 <configuration> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>

And in MasterPage, I use the LoginView control:

 <asp:LoginView ID="HeadLoginView" runat="server" EnableViewState="false"> <AnonymousTemplate> <a href="../LoginReservedArea.aspx">Area Clienti</a> <%--[ <a href="~/Login.aspx" ID="HeadLoginStatus" runat="server">Log In</a> ]--%> </AnonymousTemplate> <LoggedInTemplate> Welcome <asp:LoginName ID="HeadLoginName" runat="server" /> [<asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="RedirectToLoginPage" LogoutText="Log Out" />] </LoggedInTemplate> </asp:LoginView>

There is a link to the loginview control here, and you can read that

Exiting the website clears the user's authentication status and, when using cookies, clears the cookie from the user's client computer.

So, I think that if you are not using the loginview control, you should clear the cookie manually.

0
source

Source: https://habr.com/ru/post/921655/

More articles:


All Articles