2

This app is running in an environment where some users are still using IE7 if that makes any difference. What we're seeing is occasionally after someone logs out and someone else logs in they still get residue from the previous person where it may show that persons profile. Any suggestions would be greatly appreciated.

I'm using the following as the logout method in my asp.net mvc app

public ActionResult LogOff()
{

    System.Web.HttpContext.Current.Response.Cookies.Clear();
    FormsService.SignOut();
    Session["User"] = null;
    Session.Clear();
    Session.Abandon();
    Session.RemoveAll();

    return Redirect("/");
}

The app is using sessions saved into the database because it's running on two different web servers.

Here's some settings from the web.config

<sessionState sqlConnectionString="LiveDB" />
<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership>
  <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LiveDB" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="50" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
  </providers>
</membership>
<profile>
  <providers>
    <clear />
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="LiveDB" applicationName="/" />
  </providers>
</profile>
<roleManager enabled="true">
  <providers>
    <clear />
    <add connectionStringName="LiveDB" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>
Jhorra
  • 6,233
  • 21
  • 69
  • 123
  • FYI, you appear to be using FormsAuthentication but yet you are storing user information in the Session. That's probably not a good idea. Session and authentication are two different things, with different lifetimes, and more importantly, security. – Erik Funkenbusch Aug 17 '13 at 02:56

2 Answers2

4

If you use FormAuthentication to login like this - 

FormsAuthentication.SetAuthCookie("username", false);

then Logout is supposed to be 

FormsAuthentication.SignOut();

If you still have issue, you can force cookie to expire like this.

Community
  • 1
  • 1
Win
  • 61,100
  • 13
  • 102
  • 181
0

Membership and Session providers works separetly. Two members may use one session. That is not a rule, but it can be.

I'm not sure but I have a suggetion about your problem. Session has property IsNewSession. Microsofts says, that it "Gets a value indicating whether the session was created with the current request."

So, you may try to check if the Session of login user is new, because as he may share session with old user, and, may be, this is a reason, why one sees others profile.

Andrey Gubal
  • 3,481
  • 2
  • 18
  • 21