Question

I have a main asp.net app, which is written in asp.net 1.1. Runnning underneath the application are several 2.0 apps. To completely logout a user can I just logout of the 1.1 app with FormsAuthentication.SignOut or is it more complicated than that?

Was it helpful?

Solution

What you are looking to do is called Single Sign On and Single Sign Off. There are differences based on how you have the applications set up. I will try to clarify where those differences come into play.

To implement single sign on and single sign off you need to make the cookie name, protection, and path attributes the same between all the applications.

<authentication mode="Forms">
    <forms name=".cookiename"
           loginUrl="~/Login.aspx" 
           timeout="30" 
           path="/" />
</authentication>

Next you need to add the machine keys and they need to be the same between all your applications.

<machineKey validationKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902"
            encryptionKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC"
            validation="SHA1" />

Are you using second or third level domains for the applications? If so you will need to do a little bit more by adding the domain to the cookie:

protected void Login(string userName, string password)
{
    System.Web.HttpCookie cookie = FormsAuthentication.GetAuthCookie(userName, False);
    cookie.Domain = "domain1.com";
    cookie.Expires = DateTime.Now.AddDays(30);
    Response.AppendCookie(cookie);
}

Now to do single sign off, calling FormsAuthentication.SignOut may not be enough. The next best thing is to set the cookie expiration to a past date. This will ensure that the cookie will not be used again for authentication.

protected void Logout(string userName)
{
    System.Web.HttpCookie cookie = FormsAuthentication.GetAuthCookie(userName, False);
    cookie.Domain = "domain1.com";
    cookie.Expires = DateTime.Now.AddDays(-1);
    Response.AppendCookie(cookie);
}

I am taking into consideration you are using the same database for all the applications. If the applications use a separate database for registration and authentication, then we will need to do some more. Just let me know if this is the case. Otherwise this should work for you.

OTHER TIPS

It could be easier if you are having a central session store for all your applications. You can then set the session to null in one place.

This worked for me:

In the Logout event, instead of FormsAuthentication.GetAuthCookie method use Cookies collection in Request object as below:

HttpCookie cookie = Request.Cookies.Get(otherSiteCookieName);
cookie.Expires = DateTime.Now.AddDays(-1);
HttpContext.Current.Response.Cookies.Add(cookie);

Ofcourse, this requires u know the Cookie name of the site(s) you want the user to be logged out - which however won't be a problem if you are using the same cookie across all the web apps.

I prefer to use web.config

<authentication mode="Forms">
    <forms domain=".tv.loc" loginUrl="~/signin" timeout="2880" name="auth" />
</authentication>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top