7

I'm a new developer, and I've been assigned the task of figuring out why our log out function is not working. I've tried every possible method I can find. Below is the log I've kept that includes the methods I've used.

  1. Added a log out button to the CommonHeader.ascx form

  2. Have tried numerous methods in the logout.aspx.vb form to get it to end or clear the session but none of them work.

a. ClearSession sub routine defined in the logout.aspx.vb form:

Session("Variable") = ""
FormsAuthentication.SignOut()
Session.RemoveAll()
Session.Abandon()
Session.Clear()

b. Also added this to the top of the Page_Load sub routine: 

HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache)
HttpContext.Current.Response.Cache.SetNoServerCaching()
HttpContext.Current.Response.Cache.SetNoStore()

c. Also changed the ClearSession sub routine to Session.Contents.Remove("Variable") from Session("Variable") = ""

None of these methods work. We use Siteminder, and I've been wondering if this is the root of the problem. I just can't find anything on clearing a Session that uses Siteminder. Also keep in mind this application is coded with Visual Studio 2003.

This is the code for the button I'm using in the ascx file:

athp:TopNavText Title="Log Out" NavigateUrl="logout.aspx" Target="_top"/

Then on the "logout.aspx" form I've tried just using one of the methods described above or a combination of each one. This is the code before I ever touch it:

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load  

     ClearSession() 
     Response.Redirect("login.aspx") 

End Sub 

Public Sub ClearSession() 

     Session("Variable") = "" 

End Sub
Joe
  • 122,218
  • 32
  • 205
  • 338
gbills
  • 93
  • 2
  • 8
  • Did you verify by debugging that your ClearSession sub routine was getting called? (particularly when you had Session.Abandon() in there) – G_P Oct 12 '12 at 15:12
  • If you're using VS2003, then you're using .NET 1.1. – John Saunders Oct 12 '12 at 15:13
  • Yes, it definitely hits the sub routine. I put markers in the code to verify it wasn't stopping before it reached the ClearSession subroutine. It's just called when the page loads, then it's supposed to redirect to the login page, but it keeps redirecting me back to the home page with me still logged in when I have Response.Redirect("login.aspx") unquoted. – gbills Oct 12 '12 at 15:22
  • @JohnSaunders: sorry for the bad tag... vs 2003 was ages back and i forgot the version momentarily... – naveen Oct 12 '12 at 16:00
  • Have you tried putting a breakpoint in the session_start to see if it is getting hit again and re-initializing everything? I have seen that be a problem. – Mike Cheel Oct 12 '12 at 18:15
  • Sometimes IDE will have some kind of bug.. Try once in your server and check.. – techBeginner Oct 12 '12 at 18:30

5 Answers5

2

Finally figured out the solution, I originally did not define the domain upon deletion of the cookie which contained the siteminder session id. The code I used is as following:

        Dim cookie3 As HttpCookie = New HttpCookie("SMSESSION", "NO")
        cookie3.Expires = DateTime.Now.AddYears(-1)
        cookie3.Domain = ".domain.com"
        Response.Cookies.Add(cookie3)

        Response.Redirect("login.aspx")
gbills
  • 93
  • 2
  • 8
0

This question: formsauthentication-signout-does-not-log-the-user-out describes a problem with not clearing cookies even after calling FormsAuthentication.SignOut(). This sounds like your issue, they say it's a bug with .NET and as your using 1.1 this sounds distinctly possible.

Community
  • 1
  • 1
David A Gibson
  • 2,013
  • 5
  • 35
  • 60
  • using that example gives me this error: Compiler Error Message: BC30108: 'HttpCookie' is a type and cannot be used as an expression. Line 36: HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "") – gbills Oct 12 '12 at 16:33
  • Ok I fixed that compiler error, but it still doesn't work using that example. – gbills Oct 12 '12 at 17:01
0

HI friend please add the click event of the button in user control. And in the click event please add the following code and remove all the other code.

Session("Variable") = "";

Ajay Thakkar
  • 46
  • 3
0

look at this post

C# Clear Session

Whether its c sharp or vb the same rules still apply. You are calling session abandon then clear, but by the time you call clear the session should be gone anyway.

Clear keeps the session state along with the objects in it, so by calling it after abandon you could in fact be reinitializing a session for the user, but with cleared variables.

See this post for the order and proper way to kill the session and redirect to the login page if you have one

FormsAuthentication.SignOut() does not log the user out

Community
  • 1
  • 1
DRobertE
  • 3,478
  • 3
  • 26
  • 43
0

The first thing to note is that, if you're using Forms Authentication, Session has absolutely nothing to do with whether or not a user is logged in.

Calling FormsAuthentication.SignOut will remove the forms-authentication ticket information from the cookie or the URL if CookiesSupported is false.

But it will have no effect on what is stored in Session.

UPDATE

Why do you think log out (FormsAuthentication.SignOut) is not working? What are you expecting to happen when you click on Sign Out, and what exactly is actually happening?

I'd get rid of all the code to clear Session and look at this. For example, look at the http traffic with a tool such as Fiddler: you should be able to see that the FormsAUthentication cookie is removed when you click on Log Out.

Joe
  • 122,218
  • 32
  • 205
  • 338
  • Thank you for clearing that up. I just thought I would try it because at this point I just want it to function. We're using the namespace System.Web.SessionState which I would assume would be able to use some of the methods I've tried above. – gbills Oct 12 '12 at 19:25
  • When I click on Log out, I am trying to get it to redirect me to my Log In page. Instead it just redirects me back to my Main page. I've tried each of the methods I listed above, and for each one according to Fiddler its the same cookie still being used. I believe it has something to do with Siteminder, but I can't figure out how to kill a Siteminder session – gbills Oct 15 '12 at 21:19
  • @GarrettBills, It is almost certainly related to SiteMinder. I'm not familiar with SiteMinder so I've added a SiteMinder tag to your question in the hope that someone who is will see it. I would assume you would need to expire whatever cookie is being used by SiteMinder (normally by setting its expiry date to a date in the past) - you should be able to see the cookie using Fiddler. – Joe Oct 16 '12 at 05:42
  • Yes, I can see in Fiddler that there is a ASP.NET_SessionId and a SMSESSION in the cookie. I've been able to kill the ASP.NET_SessionId variable, but since the SMSESSION variable is still alive it just creates a new cookie. My co-worker said there is code to kill the SMSESSION, he's going to help me figure it out today. Ill post it once we get it working – gbills Oct 16 '12 at 13:56
  • You don't need to kill the ASP.NET SessionId cookie - that has nothing to do with authentication. You do need to delete the SMSESSION cookie as described at the link below: http://msdn.microsoft.com/en-us/library/ms178195(v=vs.100).aspx – Joe Oct 16 '12 at 14:12