https://stackoverflow.com/questions/17192502
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianEssentially in the url /F-long text/ is stored your FormAuthentication ticket. This ticket within caries its own expiration (at least if it is not persistent), after that timespan the url becomes invalid. So I would recommend simply reducing timespan. If explicit logout is "must-to-have" you have to use db only if you're in webfarm and you don't have some kind of scaleout solution. If you have single box you can use HttpCache to do the dirty job. Also I would use just UserID, not whole cookie (ie. on login add UserID with some timespan into active user ids range, in Global.asax on PostAuthorize check if user is within active user ids, prolong his timespan if he is and throw him out otherwise, on logout remove him).
ASP.Net Cookieless: How to delete authentication cookie
-
01-06-2022 - |
Pergunta
We have enabled cookieless authentication and sessions in our ASP.Net MVC3 site. The problem we have come across is that if you log out a user, it does not invalidate the already created cookie/session stored in the cookieless string. The scenario is as follows:
User logs into the site, registers and logs in using cookieless authentication; the user now has the cookieless ticket in their url. User copies the url by creating a desktop shortcut or copy and paste.
User logs out of the site and FormAuthentication.SignOut() is called to invalidate the ticket and is redirected to the logon page.
The user can now simply copy and paste that URL into any browser or even go to another computer and the site will accept that authentication ticket even though they had already logged out; creating a serious security risk.
Is there any way to disable all previous cookies whether cookieless or not? Currently our process works for cookie-based sessions/logins; we just need a solution for cookieless.
The only possible solution we have found so far would be to track all cookies in a db and invalidate the cookie in the database as well as checking the db to ensure that the current cookie is still valid. This would significantly impact performance, so we want to verify this is the only/best solution before we move forward.
Thanks
Solução
Outras dicas
Use Session.Abandon() after the SignOut to discard the session
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
