Unable to logout after specifying "domain" parameter in "authentication" of web.config

Question

I have logout handler which used to work fine:

    public void ProcessRequest(HttpContext context)
    {
        //// Sign out
        System.Web.Security.FormsAuthentication.SignOut();

        //// Clear Session
        if (context.Session != null)
        {
            context.Session.Clear();
        }

        /// Expire all the cookies so browser visits us as a brand new user
        List<string> cookiesToClear = new List<string>();
        foreach (string cookieName in context.Request.Cookies)
        {
            HttpCookie cookie = context.Request.Cookies[cookieName];
            cookiesToClear.Add(cookie.Name);
        }

        foreach (string name in cookiesToClear)
        {
            HttpCookie cookie = new HttpCookie(name, string.Empty);
            cookie.Expires = DateTime.Today.AddYears(-1);

            context.Response.Cookies.Set(cookie);
        }
        context.Response.Redirect("~/default.aspx");
    }
}

Once I added "domain" parameter to the authentication section of web.config:

        <forms timeout="50000000" 
               loginUrl="~/login" 
               domain='mysite.com'/>

... it is no longer logging the user out - after it redirects to "~/default.aspx" I can still see the user logged in (I put a breakpoint to Load event of that page and check HttpContext.Current.User.Identity.IsAuthenticated, and its still = true).

Then I remove "domain='mysite.com'" and it logs the user out without problems.

I do need to specify the domain because I added a subdomain with its own application but I want it to share authentication cookie.

Any ideas are highly appreciated!

Possibly related: http://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out — Michael Haren, Mar 22 '11 at 02:38
@Michael: I actually figured that out: When I recreate cookies to expire, I need to specify the domain: cookie.Domain = FormsAuthentication.CookieDomain; and it now works! — Andrey, Mar 22 '11 at 02:49

score 1 · Accepted Answer · answered Apr 01 '11 at 00:41

1

When I recreate cookies to expire, I need to specify the domain:

cookie.Domain = FormsAuthentication.CookieDomain;

That solves the problem.

answered Apr 01 '11 at 00:41

Andrey

20,487
26
108
176

I wanted to just say thank you! Been struggling with this little bug now for about 6 months always trying something new! You nailed it. Really appreciate it. – SpoiledTechie.com May 01 '13 at 20:16

score 0 · Answer 2 · edited Aug 14 '12 at 20:34

0

Please specify domain =".mysite.com"

edited Aug 14 '12 at 20:34

Servy

202,030
26
332
449

answered Mar 22 '11 at 02:42

sajoshi

2,733
1
18
22

You don't need that - writing cookie to the base domain makes it accessible to all subdomains. I actually figured out the solution - I need to specify domain when I expire the cookies. – Andrey Mar 22 '11 at 02:47

Unable to logout after specifying "domain" parameter in "authentication" of web.config

2 Answers2