FormsAuthentication.SignOut() does not log the user out FormsAuthentication.SignOut() does not log the user out asp.net asp.net

FormsAuthentication.SignOut() does not log the user out


asp.net forms-authentication

Users can still browse your website because cookies are not cleared when you call FormsAuthentication.SignOut() and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don't, bug?Its exactly the same with Session.Abandon(), cookie is still there.

You should change your code to this:

FormsAuthentication.SignOut();Session.Abandon();// clear authentication cookieHttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");cookie1.Expires = DateTime.Now.AddYears(-1);Response.Cookies.Add(cookie1);// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");cookie2.Expires = DateTime.Now.AddYears(-1);Response.Cookies.Add(cookie2);FormsAuthentication.RedirectToLoginPage();

HttpCookie is in the System.Web namespace. MSDN Reference.

asp.net forms-authentication

Using two of the above postings by x64igor and Phil Haselden solved this:

1. x64igor gave the example to do the Logout:

  • You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout.

    public ActionResult LogOff(){    FormsAuthentication.SignOut();    Session.Clear();  // This may not be needed -- but can't hurt    Session.Abandon();    // Clear authentication cookie    HttpCookie rFormsCookie = new HttpCookie( FormsAuthentication.FormsCookieName, "" );    rFormsCookie.Expires = DateTime.Now.AddYears( -1 );    Response.Cookies.Add( rFormsCookie );    // Clear session cookie     HttpCookie rSessionCookie = new HttpCookie( "ASP.NET_SessionId", "" );    rSessionCookie.Expires = DateTime.Now.AddYears( -1 );    Response.Cookies.Add( rSessionCookie );

2. Phil Haselden gave the example above of how to prevent caching after logout:

  • You need to Invalidate the Cache on the Client Side via the Response.

        // Invalidate the Cache on the Client Side    Response.Cache.SetCacheability( HttpCacheability.NoCache );    Response.Cache.SetNoStore();    // Redirect to the Home Page (that should be intercepted and redirected to the Login Page first)    return RedirectToAction( "Index", "Home" ); }

asp.net forms-authentication

Sounds to me like you don't have your web.config authorization section set up properly within . See below for an example.

<authentication mode="Forms">  <forms name="MyCookie" loginUrl="Login.aspx" protection="All" timeout="90" slidingExpiration="true"></forms></authentication><authorization>  <deny users="?" /></authorization>

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last