asp.net membership LoginStatus control needs codes?

Question

I'm using loginStatus control to let my users to logout . I write no more codes for logout process ( no session removing , deleting cookies or redirecting user ) , just rely on the control's build-in code.

now I wonder if it is enough to put a LoginStatus control on the page and let it to do the rest itself ( I mean deleting session cookies and signing out user ) or I should handle its events and write code to delete cookies and logout user .

I've read that even after loging out user by LoginStatus control , we should delete session cookie to avoid others to take and use it ( hijack it ) or add some strings like IP or ... to its content to avoid hijacking ... is it true ?

Answer 1

The LoginStatus control only signs out your FormsAuth ticket, but does not specifically abandon the current Session. It is important to note that the FormsAuth ticket (stored as a cookie) is what actually determines if the user is logged in and who; the ASP.NET session does not (unless you have custom code that additionally checks the ASP.NET session on top of the forms auth status).

So, if you only need to sign out the ticket, you're good to go. However, if your application stores information in the ASP.NET session and you need that thrown out too, then you should add an event handler to the LoggedOut event in your page's codebehind and call Session.Abandon (or whatever you think is appropriate).

Answer 2

Try something like this:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

And then

FormsAuthentication.RedirectToLoginPage();