FormsAuthentication.SignOut() does not work

Question

I'm developing a website with a secure part, that is the folder named 'PIP'.

The login part works okay, but when i click logoff the user is still known and won't be redirected to the login page if he/she touches the secure part.

Here is my web.config:

<system.web>

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH">
  </forms>
</authentication>

</system.web>

<location path="PIP">
<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
</location>

My login page where the user is authenticated:

FormsAuthentication.RedirectFromLoginPage(uid, false);

On the default.aspx page in the secured folder (PIP) has a logoff button, the code behind that button:

FormsAuthentication.SignOut();
Response.Redirect("~/Default.aspx", true);

On the page "Default.aspx" is a link that goes to ~/PIP/Default.aspx, it should be redirected to the login page but is does not. It seems the session is not affected by the signout.

I've tried a lot of options, manually deleting the sessions. Session.Clear, Session.Abandon but nothing seems to be working.

I hope you guys can point me in right direction!

Thanks in advance.

Read this: http://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out — Snake Eyes, Jun 05 '15 at 14:30
This answer offers some ways to check, especially if you're site is failing PEN tests: https://stackoverflow.com/questions/31565632/invalidate-aspx-authentification-cookie — Tyler S. Loeper, Mar 19 '18 at 19:17

score 4 · Answer 1 · answered Jul 30 '12 at 10:09

4

You need to abandon the session after signing out.

FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/Default.aspx", true);

answered Jul 30 '12 at 10:09

David Anderson

13,558
5
50
76

Thanks for your reply. Tried this, but doesn't work unfortunately. – Falcko Jul 30 '12 at 11:15
Did you try that with a fresh cache? – David Anderson Jul 30 '12 at 11:17
Yes I did clear the cache, I even installed FireFox and tried it with that browser also. Same results. – Falcko Jul 30 '12 at 11:21
The Session object is not tied to the FormsAuthentication ticket. – Ciaran Aug 01 '12 at 14:57
You are absolutely right. In light of that though, you should still abandon the session when logging a user out. – David Anderson Aug 01 '12 at 15:45

score 2 · Accepted Answer · answered Jul 30 '12 at 11:11

Do you have any other instances of IE open before, during, or after you sign out? If not, you can find that the cookie still exists in a shared cookie element of IE.

Do you have any expiry set on your web pages? If not, the page may still be in your browser cache and the Forms Authentication check on the server will not be called.

If you close your browser and try and go to a protected resource again and have to log in then it is configured correctly.... The Session cookie is not used as part of the Forms Authentication process so you need not worry about it - FormsAuthentication.SignOut() is the correct way to do this.

In your Global.asax.cs add the following event handler - if you don't already have it - and put a breakpoint on it. If you hit the breakpoint for subsequent requests after you've called LogOff then you can crack open the cookie and have a look inside it - my guess is that you won't hit this breakpoint because the requests are being served from the cache.

    protected void Application_BeginRequest(object sender, EventArgs e) 
    {}

To crack open the cookie:

                HttpRequest currentRequest = HttpContext.Current.Request;

            // Attempt to get the Forms Auth Cookie from the Request
            HttpCookie authenticationCookie = currentRequest.Cookies[FormsAuthentication.FormsCookieName];

            if(authenticationCookie != null)
            {
                // Crack the Cookie open
                var formsAuthenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value);

                // breakpoint here to see the contents of the ticket.
                if (formsAuthenticationTicket.Expired)
                {

                }
            }

It is also worthwhile trying this in Firefox or Chrome as they seem better at getting rid of the cookie immediately.

To disable caching you can put the following in one of the pages:

    private static void SetImmediateExpiryOnResponse(HttpResponse response)
    {
        response.Cache.SetAllowResponseInBrowserHistory(false);
        response.Cache.SetCacheability(HttpCacheability.NoCache);
        response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        response.Cache.SetNoStore();
        response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
        response.Expires = -1;
        response.ExpiresAbsolute = DateTime.Now.AddDays(-1);
        response.CacheControl = "no-cache";
    }

Thanks for your reply. I closed all browsers, deleted the cache. Doesn't help. I also tried to login, close the browser and then I had to login again. If I put the breakpoint on the IF statement, it hits the breakpoint. If I put in inside the IF statement it never hits. Also put the SetImmediateExpiryOnResponse code in my default.aspx. — Falcko, Jul 30 '12 at 11:50
Ok, so that means you still have a cookie. Do you know for definite that the FormsAuthentication.SignOut() method is called? — Ciaran, Jul 30 '12 at 11:58
Yes im sure that FormsAuthentication.SignOut(); is called, i've put a breakpoint on it. Yes I've tried IE and FireFox. — Falcko, Jul 30 '12 at 12:23
The strange thing is that when I create a simple logingform with a single button in, behind the button this code: protected void Button1_Click(object sender, EventArgs e) { FormsAuthentication.RedirectFromLoginPage("test", false); } Then it works! I can click Sign out and have to login again. With my own login page it doesn't work. — Falcko, Jul 30 '12 at 13:09
Can you try it with Response.Redirect(url, false) after FormsAuthentication.SignOut() — Ciaran, Jul 30 '12 at 13:11
No result. I bet the problem is in the login page, not as much as in the signout part — Falcko, Jul 30 '12 at 13:20
The problem was that third party loginprovider needed a logout command also. thanks for you help!! (I forget to close this question, otherwise I would've done it earlier) — Falcko, Oct 26 '12 at 12:09

score 2 · Answer 3 · edited Aug 03 '15 at 13:41

2

Set expired cookies:

HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
cookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(cookie);

edited Aug 03 '15 at 13:41

Matthias A. Eckhart

5,136
4
27
34

answered Aug 03 '15 at 12:36

Ly Sopheak

21
1

2GDev · Answer 4 · 2012-07-30T10:20:38.560

Using the LoginView Control may solve your problem.

One of my website have this configuration on web.config

<authentication mode="Forms">
        <forms loginUrl="~/Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" 
               defaultUrl="Login.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
    </authentication>

Then in my protected area i've created a new web.config with only this few lines :

<configuration>
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

And in the MasterPage i use the LoginView Control :

<asp:LoginView ID="HeadLoginView" runat="server" EnableViewState="false">
      <AnonymousTemplate>
        <a href="../LoginReservedArea.aspx">Area Clienti</a>
        <%--[ <a href="~/Login.aspx" ID="HeadLoginStatus" runat="server">Log In</a> ]--%>
    </AnonymousTemplate>
    <LoggedInTemplate>
        Welcome <asp:LoginName ID="HeadLoginName" runat="server" />
        [<asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="RedirectToLoginPage" LogoutText="Log Out" />]
    </LoggedInTemplate>
</asp:LoginView>

Here there is a reference to loginview control and you can read that

Logging out of the Web site clears the user's authentication status and when using cookies will clear the cookie from the user's client computer.

So i think that if you don't use the loginview control you have to clear the cookie manually.

Thanks for you reply, tried the web.config part. But no succes so far. In this project I can't use the loginview control, authentication and the login page are external. — Falcko, Jul 30 '12 at 11:12

score 0 · Answer 5 · answered Jun 17 '22 at 16:05

Response.Cookies.Clear();
                FormsAuthentication.SignOut();
                Session.Abandon();
                if (Request.Cookies["FedAuth"] != null)//Fedauth is Your Cookie name that get in borowser below your site url
                {
                    HttpCookie myCookie = new HttpCookie("FedAuth");
                    myCookie.Expires = DateTime.Now.AddDays(-1d);
                    Response.Cookies.Add(myCookie);
                }

This works for sharepoint 2019

FormsAuthentication.SignOut() does not work

5 Answers5