1

I've wrapped some code around my project to enable user authentication. It seems to be using FormsAuthentication as well as .NetCasAuthentication. When a user wants to login, I redirect them to an external page whose URL is saved in DotNetCasClient.CasAuthentication.FormsLoginUrl, and that, after a successful login attempt, sets the User.Identity object. So far so good.

Now, how do I properly sign the user out?

I've tried

  • FormsAuthentication.SignOut()
  • Expiring a couple cookies as suggested here
  • And even explicitly nullifying the User object: HttpContext.Current.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);

But when I send another request to my application, it's still able to find that user's information somewhere.

Does CasAuthentication save to a cookie? Or is it more likely that it's in some unique location as defined by the external login page? I have the option of redirecting to the corresponding external logout page, but I don't know how to do that without redirecting to it and leaving my application, and I don't want to do that.

Thanks for reading.

Community
  • 1
  • 1
Jared Roder
  • 182
  • 2
  • 11

1 Answers1

1

I'm still not quite sure what was causing the phantom log out, but I was able to fix the issue I was having.

I included an iframe in my application's login and logout pages, whose sources (src) are pointed at the external login and logout pages, respectively. To tell CAS where to redirect to after validating FormsAuthentication credentials, I had to append at the end of the login iframe's src url a query string that looks like ?TARGET=http%3a%2f%2fsome.url.aspx

(The target url is escaped. '%3a' is url encoding for a colon (:) and '%2f' is a forward slash (/))

So, say, the external login url was https://www.externalsite.com/login and I wanted to redirect to my welcome page http://www.mysite.com/welcome.aspx after logging in, my application's login page iframe src would need to be

`https://www.externalsite.com/login?TARGET=http%3a%2f%2fwww.mysite.com%2fwelcome.aspx`

After doing that, everything seems to be working fine.

I couldn't find documentation for the TARGET query string, but it seems to be related to the 'targetService' parameter described here.

Jared Roder
  • 182
  • 2
  • 11