FormsAuthentication.SignOut() does not log the user out

by

Users can still browse your website because cookies are not cleared when you call FormsAuthentication.SignOut() and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don’t, bug?
Its exactly the same with Session.Abandon(), cookie is still there.

You should change your code to this:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");
HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

HttpCookie is in the System.Web namespace. MSDN Reference.

More Related Contents:

  1. ASP.NET MVC – Set custom IIdentity or IPrincipal
  2. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  3. Mixing Forms authentication with Windows authentication
  4. Passing FormsAuthentication cookie to a WCF service
  5. Asp.net forms authentication and multiple domains
  6. Store/assign roles of authenticated users
  7. How to remove returnurl from url?
  8. Forms Authentication Ignoring Default Document
  9. Impersonate using Forms Authentication
  10. Allow access for unathenticated users to specific page using ASP.Net Forms Authentication
  11. Forms authentication: disable redirect to the login page
  12. Can I change the FormsAuthentication cookie name?
  13. Different users get the same cookie – value in .ASPXANONYMOUS
  14. Redirect URL (ASP.NET)
  15. Get full path of a file with FileUpload Control
  16. CustomErrors mode=”Off”
  17. ASP.NET Identity with EF Database First MVC5
  18. How to give ASP.NET access to a private key in a certificate in the certificate store?
  19. Which gets priority, maxRequestLength or maxAllowedContentLength?
  20. Is it possible to use Razor View Engine outside asp.net
  21. How to launch an EXE from Web page (asp.net)
  22. BackgroundWorker thread in ASP.NET
  23. Change Text Box Color using Required Field Validator. No Extender Controls Please
  24. ASP.Net UserName to Email
  25. How can I check for IsPostBack in JavaScript? [duplicate]
  26. How can I handle forms authentication timeout exceptions in ASP.NET?
  27. How to login and then download a file from aspx web pages with R
  28. “This operation requires IIS integrated pipeline mode.”
  29. Asp.Net MVC3, returning success JsonResult
  30. IIS AAR – URL Rewrite for reverse proxy – how to send HTTP_HOST

Leave a Comment