ASP.Net delete/expire session cookies

Question

We have a number of internal company ASP.Net applications. All use Forms Authentication and all are session based...

What I am trying to do is when a user logs out of one application he/she is logged out of all applications.

I have some logic that iterates the cookies collection. I can see all the other ASP.Net applications but I can not remove them.

Im currently using the following logic:

// expire all asp.net app tickets
        string[] allDomainCookes = HttpContext.Current.Request.Cookies.AllKeys;

        foreach (string domainCookie in allDomainCookes)
        {
            if (domainCookie.Contains("ASPXAUTH"))
            {
                var expiredCookie = new HttpCookie(domainCookie) { Expires = DateTime.Now.AddDays(-1) };
                HttpContext.Current.Response.Cookies.Add(expiredCookie);
            }
        }
        HttpContext.Current.Request.Cookies.Clear();

For some reason they are not being removed. I know they are all there because I have written them to the page. They are just not being removed....is this because these are session cookies?

Also I should add they are all sub-domains of the some domain so ownership should not be an issue?

score 5 · Answer 1 · answered Nov 03 '16 at 05:05

5

try this code ..works for me

            FormsAuthentication.SignOut();
            HttpContext.Current.Session.Clear();
            HttpContext.Current.Session.Abandon();
            HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
            cookie1.Expires = DateTime.Now.AddYears(-1);
            HttpContext.Current.Response.Cookies.Add(cookie1);
            HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
            cookie2.Expires = DateTime.Now.AddYears(-1);
            HttpContext.Current.Response.Cookies.Add(cookie2);

answered Nov 03 '16 at 05:05

Syed Mhamudul Hasan

1,341
2
17
45

1

He is implementing apparently his own Authentication system, this `FormsAuthentication.SignOut();` should not be there. – Mohammed Noureldin Dec 25 '17 at 19:00
Session.Clear(); Session.Abandon(); Worked for me – bqre Jan 12 '21 at 12:35

score 4 · Accepted Answer · answered Nov 03 '16 at 02:22

Actually...I've just found the problem. I need to specify the domain as well

string[] allDomainCookes = HttpContext.Current.Request.Cookies.AllKeys;

    foreach (string domainCookie in allDomainCookes)
    {
        if (domainCookie.Contains("ASPXAUTH"))
        {
            var expiredCookie = new HttpCookie(domainCookie) { 
                  Expires = DateTime.Now.AddDays(-1),
                  Domain = ".mydomain"
            };
            HttpContext.Current.Response.Cookies.Add(expiredCookie);
        }
    }
    HttpContext.Current.Request.Cookies.Clear();

score 0 · Answer 3 · edited May 23 '17 at 12:09

0

Cookies only works in the same domain. If it's cross domain, you need another solution. Here is another article about Asp.net cookie

edited May 23 '17 at 12:09

Community

1
1

answered Nov 03 '16 at 01:59

Joseph

36
3

Hi these are not cross domain. These are subdomain i.e website1.contonso.com and website2.contonso.com etc – glenho123 Nov 03 '16 at 02:15
Even if cross domain, CORS can overcome this limitation of destroying cookies. – Spencer Sullivan Mar 06 '18 at 18:04

ASP.Net delete/expire session cookies

3 Answers3

Linked