WebSecurity.Logout() and Session.Abandon() combination are failing to kill session

StackOverflow https://stackoverflow.com/questions/21523623

Pergunta

I have been trying to work out why WebSecurity.Logout() and Session.Abandon() and failing to kill my session. I have an application hosted on a webserver that is failing to sign the user out. In debug it is signing out successfully and returning to the login page as expected. I have just added .Domain property to the cookie so that upon signing in they can access the rest of the subdomain. My cookie is created is as follows:

var authTicket = new FormsAuthenticationTicket(model.UserName, false, (int)FormsAuthentication.Timeout.TotalMinutes);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
//authCookie.Domain = "mysite.org"
authCookie.Domain = "127.0.0.1";
Response.AppendCookie(authCookie);

I found another post on stack overflow that recommended overwriting the session and even when I do this:

WebSecurity.Logout();
Session.Abandon();

//clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

//clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

Any ideas what would be preventing this from working on the webserver that wouldnt happen in debug? Is there some other form of webserver cookie that could be preserving this session?

Foi útil?

Solução

You need to set domain on your cookie when clearing it too, otherwise it will simply be setting a new cookie at full domain level (www.mysite.org) instead of clearing the mysite.org cookie.

//clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
cookie1.Domain = "mysite.org";
Response.Cookies.Add(cookie1);

//clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
cookie2.Domain = "mysite.org";
Response.Cookies.Add(cookie2);
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top