ASP.NET MVC FormsAuthentication.SignOut doesn't work

Question

I'm trying to use forms.signout but sometimes it does not log out the user and he still can navegates through the website.

How can I resolve this? I also configured web.config forms authentication, but it's still not working.

I'm using FormsAuthentication to autenticate an user passing he's login.

Thanks!!

Answer 1

I don't know what the cause is but a few things you might consider/try

• are they actually able to still visit pages generated by the server or are they just going back to locally cached versions? What happens when they cause a postback that has code to check if they are authenticated does that work or does it fail? I think the later meaning they are signed out but viewing cached versions of the logged in page in which case you want to instruct the client not to cache the pages using for instances:

  Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetNoStore();

• You can try manually setting the cookie to be expired but this is a hack

  FormsAuthentication.SignOut(); Context.Response.Cookies.Item(FormsAuthentication.FormsCookieName).Expires = Date.Now; Response.Redirect("~/Somewhere.aspx");

Answer 2

Does the user have the domain (or a parent domain) in their trusted sites or intranet sites? I've run into some issues recently where a user is authenticated, but anonymous under circumstances where this is true. In my case it could also be that a parent site was, at one time, configured to allow windows integrated authentication. I've removed since removed that, but it didn't seem to help the problem. I haven't yet restarted IIS to see if this would have an effect. I've resorted to checking both that the user is authenticated and non-anonymous to ensure that the proper parts of the view are rendered. This is actually more accurate even though my login code should prevent having an anonymous login.