Asp.net user authenticated after signout.

The Asp.net Membership relies on cookies to store the FormAuthentication ticket of a user, this means that we have to remove the cookie in order to signoff from our application.

When an user is logged a cookie containing the encrypted ticket is stored on the client machine:

public void CreateUserCookie(string username)
{
  //Expiration of the cookie
  DateTime expiration = DateTime.Now.AddMonths(3);
  //Expiration of the ticket
  FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(username, false, 10);
  string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
  HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
  authCookie.Expires = expiration;
  HttpContext.Current.Response.Cookies.Add(authCookie);
}

*Note that the expiration of the cookie and the expiration of the authentication are different. A cookie can be stored on the client for as long as we want (es 3 months) while we want the user to be authenticated on the site for 10 minutes only.

Here is the logout:

FormsAuthentication.SignOut();
Roles.DeleteCookie();
Session.Clear();
FormsAuthentication.RedirectToLoginPage();

*Note that clearing the session doesn’t affect the cookie and so the authentication. Forms authentication and session are not related at all, if a browser doesn’t support cookies the ticket is stored in the url.

The issue of having the user always authenticated on the website even after a signout happens because the FormsAuthentication.SignOut() method has failed and we don’t get any notification.

One of the causes can be a wrong configuration of the Forms authentication in our web.config. By default Asp.net expect the authentication cookie to be in a different folder from the one we’ve used to create the cookie manually.

<forms loginUrl="/Pages/work-with-us.aspx" protection="All" timeout="10" name="ProjectX.Web" requireSSL="false" slidingExpiration="true" path="/FormsAuth" enableCrossAppRedirects="false"/>

Remove the “path” parameter to ensure the cookie location is the same of your cookie one. * Note that the “name” parameter define the name of the authentication cookie (FormsAuthentication.FormsCookieName )




No Comments


You can leave the first : )



Leave a Reply

Your email address will not be published. Required fields are marked *