5

Here is My Code To Log In

 var expire = DateTime.Now.AddDays(7);
        // Create a new ticket used for authentication
        var ticket = new FormsAuthenticationTicket(
        1, // Ticket version
        username, // Username to be associated with this ticket
        DateTime.Now, // Date/time issued
        expire, // Date/time to expire
        true, // "true" for a persistent user cookie (could be a checkbox on form)
        roles, // User-data (the roles from this user record in our database)
        FormsAuthentication.FormsCookiePath); // Path cookie is valid for

        // Hash the cookie for transport over the wire
        var hash = FormsAuthentication.Encrypt(ticket);
        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash) { Expires = expire };

        // Add the cookie to the list for outbound response
        Response.Cookies.Add(cookie);

Here Is My Code To Check The Roles. It is a custom IHTTP Module

 if (HttpContext.Current.User == null) return;
        if (!HttpContext.Current.User.Identity.IsAuthenticated) return;
        if (!(HttpContext.Current.User.Identity is FormsIdentity)) return;

        // Get Forms Identity From Current User
        var id = (FormsIdentity)HttpContext.Current.User.Identity;
        // Get Forms Ticket From Identity object
        var ticket = id.Ticket;
        // Retrieve stored user-data (our roles from db)
        var userData = ticket.UserData;
        var roles = userData.Split(',');
        // Create a new Generic Principal Instance and assign to Current User
        Thread.CurrentPrincipal = HttpContext.Current.User = new GenericPrincipal(id, roles);

Here is my Code To Log Out

FormsAuthentication.SignOut();
        Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
        Session.Clear(); 
        Response.Cache.SetCacheability(HttpCacheability.NoCache);
        Response.Cache.SetExpires(DateTime.Now.AddSeconds(-1));
        Response.Cache.SetNoStore();
        Response.AppendHeader("Pragma", "no-cache");
        return View("SignIn");

This is crazy. I have two bald spots now.

  • 2
    Take a step back from where you think the problem lies - its probably something more obvious like the code you think is never being invoked. Place a breakpoint in your log out code and verify it is being hit. – cfeduke Jul 17 '09 at 19:55
  • Maybe related: http://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out/1306932#1306932 – Deduplicator Sep 19 '15 at 03:02

3 Answers3

7

1) shouldn't your call to Response.Cookies.Remove(FormsAuthentication.FormsCookieName); be Response.Cookies.Remove(whatever-the-user-name-is);?

2) try sending an expired cookie back to the browser. 

FormsAuthentication.SignOut();

// replace with username if this is the wrong cookie name
Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
Session.Clear(); 
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.Now.AddSeconds(-1));
Response.Cache.SetNoStore();
Response.AppendHeader("Pragma", "no-cache");

// send an expired cookie back to the browser
var ticketExpiration    = DateTime.Now.AddDays(-7);
var ticket              = new FormsAuthenticationTicket(
    1, 
    // replace with username if this is the wrong cookie name
    FormsAuthentication.FormsCookieName, 
    DateTime.Now, 
    ticketExpiration, 
    false, 
    String.Empty);
var cookie              = new System.Web.HttpCookie("user")
{
    Expires             = ticketExpiration,
    Value               = FormsAuthentication.Encrypt(ticket),
    HttpOnly            = true
};

Response.Cookies.Add(cookie);

return View("SignIn");
Jared
  • 8,390
  • 5
  • 38
  • 43
  • Thanks for the try dude. It is still a no go. I have three bald spots now. Response.Cookies.Clear(); does not either. For fun, (yes this is fun), I set the cookie to expire ON LOGIN, this worked, however is completely useless as a solution. –  Jul 17 '09 at 20:35
  • Simply put, something is seriously wrong. I do not know what (or where). However I resolved the problem in part by adding your expired cookie. –  Jul 17 '09 at 21:21
  • Well I'm glad you fixed it! can you post the code you ended up using? I'm curious to see what you had to do to get it working – Jared Jul 17 '09 at 23:22
0

If you want to apply the "no cache on browser back" behavior on all pages then you should put it in global.asax.

protected void Application_BeginRequest()
{
    Response.Cache.SetCacheability(HttpCacheability.NoCache);
    Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
    Response.Cache.SetNoStore();
}

hope it helps someone !

AthibaN
  • 2,087
  • 1
  • 15
  • 22
0

You can not directly delete a cookie on a client's computer. When you calls the Cookies.Remove method the cookie is deleted on a server side. To delete the cookie on a client's side it's necessary to set the cookie's expiration date to a past date.

HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null)
{
     cookie.Expires = DateTime.Now.AddDays(-1);
     HttpContext.Current.Response.Cookies.Add(cookie);
}

I hope this helps you.

Evgeny Shmanev
  • 1