ASP ASPXAUTH authentication cookie not cleared on sign/log out

asp.net internet-explorer authentication cookies
10,964

Solution 1

I had this issue, and to make sure, the user gets logged out, now I use the following piece of code: 

        FormsAuthentication.SignOut();

        // Drop all the information held in the session
        Session.Clear();
        Session.Abandon();

        // clear authentication cookie
        HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
        cookie1.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie1);

        // clear session cookie
        HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
        cookie2.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie2);

        // Redirect the user to the login page
        Response.Redirect("YourLoginPage.aspx", true);

Solution 2

To avoid this issue, the moment you make the SignOut, then the next call must be with Redirect(pageLogOut, true); and stop any other activities until its fully redirect. The parameter true is very important.

After you call the SignOut(), you must force the browser to flush the cookies data because if authenticate request again the cookie for any reason then the cookie is get more time to live and its not delete it from the browser as you ask for with the SigntOut command.

So after the SignOut, make a redirect to a page - or make sure that you flush the cookies to the browser and not ask again anything that have do with the authenticate of the user until the cookies are totally write down to the browser.

Hope this help.

Share:
10,964
Deru
Author by

Deru

Updated on July 26, 2022

Comments

  • Deru
    Deru almost 2 years

    I'm using ASP authentication and the integrated webservice.

    The user logins in with Forms authentication on a login page.
    To log out, I call the authentication webservice from Silverlight and call logout.

    Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.

    I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
    So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.

    I checked and didn't see any other description of the issue. I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).

    Any idea what may be going on?

  • Charles Byrne
    Charles Byrne about 11 years
    MSDN recommends redirect with false then call CompleteRequest to prevent ThreadAbortException. They mention performance as well, but I haven't tested. From MSDN - Response Redirect: If you specify true for the endResponse parameter, this method calls the End method for the original request, which throws a ThreadAbortException exception when it completes. This exception has a detrimental effect on Web application performance, which is why passing false for the endResponse parameter is recommended.
  • Aristos
    Aristos about 11 years
    @CharlesByrne If you not stop the processing then is possible more cookie to be written on the browsers, cookies that you do not expect. - take a moment and read this stackoverflow.com/a/14641145/159270
  • Rob
    Rob almost 11 years
    This works. I had an issue where the asp:LoginStatus code would not properly flush, but would redirect to logon.aspx, so I stuck this code in that page_init function and tested for login by if (Context.User.Identity.IsAuthenticated) - at that point the cookies got properly flushed. {
  • Brett Caswell
    Brett Caswell about 9 years
    this is not a good general recommendation to make.. or use.. if cookies are being written to the response elsewhere, then that issue should be addressed, not worked around.
  • The Red Pea
    The Red Pea about 2 years
    For me, the HttpResponse object can be reached at: System.Web.HttpContext.Current.Response.Cookies

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to get the asp.net login control to auto authenticate a previously authenticated user?
What is CookieAuthenticationOptions.AuthenticationType used for?
Authentication/Session cookie deleting after browser close
access cookie in _Layout.cshtml in ASP.NET Core
Sharing ASP.NET cookies across sub-domains
asp.net cookies, authentication and session timeouts
Asp.Net Forms Authentication when using iPhone UIWebView
ASP.NET authentication cookie not deleting after Firefox is closed
Is encrypting session id (or other authenticate value) in cookie useful at all?
Web authentication state - Session vs Cookie?