ASP.NET MVC truly log off with Forms Authentication

Question

I have a logoff action on a controller as so:

    public ActionResult Logoff()
    {
        var x = Request.IsAuthenticated;
        var y = User.Identity.IsAuthenticated;

        FormsAuthentication.SignOut();
        Session.Abandon();

        var a = Request.IsAuthenticated;
        var b = User.Identity.IsAuthenticated;

        return View();
    }

However, x, y, a, and b, are all true. So when my view renders, it still behaves as if the user is logged in. Can someone please provide a solution and/or explanation?

Answer 1

FormsAuthentication.SignOut() removes the authentication cookie, so you need to redirect after it instead of returning a view so that the client is notified:

public ActionResult Logoff()
{
    FormsAuthentication.SignOut();
    return RedirectToAction("Index");
}

Now in the Index action the user will no longer be authenticated.