Laurence
Reputation: 7823
website still logged in after logging out
I have a website with ASP.NET Forms Authentication. I recently implement to save cookie upon user login and now I found a problem. I am not 100% if the problem persist before or not.
The steps to reproduce are:
- go to my website with www (www.mysite.com)
- Login to the website.
- go to the website without www (mysite.com)
- It would ask me to login again so I did.
- Logout of the website. it redirect me to Login page.
- type www.mysite.com in the address bar and I found it still login.
So accessing to my website with or without (www) become like accessing to two different website. Logging out from www.mysite.com does not logout from mysite.com. The same with logging in, and vice versa.
Login page
Login1_Authenticate Handles Login1.Authenticate
Dim result As Boolean = UserLogin(userName, password)
If (result) Then
e.Authenticated = True
If Login1.RememberMeSet = True Then
SetCookies(userName)
End If
LoginCounter(userName)
Else
e.Authenticated = False
End If
SetCookies()
Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie
tkt = New FormsAuthenticationTicket(1, userName, DateTime.Now(), DateTime.Now.AddDays(7), False, "")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = New HttpCookie(FormsAuthentication.FormsCookieName(), cookiestr)
ck.Expires = tkt.Expiration
ck.Path = FormsAuthentication.FormsCookiePath()
HttpContext.Current.Request.Cookies.Remove(".ASPXAUTH")
Response.Cookies.Add(ck)
End Sub
Login Status Control on Master Page
LoginStatus1_LoggingOut Handles LoginStatus1.LoggingOut
FormsAuthentication.SignOut()
Session.Clear()
Session.Abandon()
Dim cookie1 As New HttpCookie(FormsAuthentication.FormsCookieName, "")
cookie1.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(cookie1)
Dim cookie2 As New HttpCookie("ASP.NET_SessionId", "")
cookie2.Expires = DateTime.Now.AddYears(-1)
Response.Cookies.Add(cookie2)
Web.config
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Default.aspx" cookieless="UseCookies" timeout="1440" path="/" protection="All"/>
</authentication>
Solution: put this in Global.asax ..
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim fromurl As String = "http://mysite.com"
Dim tourl As String = "http://www.mysite.com"
If HttpContext.Current.Request.Url.ToString().ToLower().Contains(fromurl) Then
HttpContext.Current.Response.Status = "301 Moved Permanently"
HttpContext.Current.Response.AddHeader("Location", tourl)
End If
End Sub
Upvotes: 1
Views: 938
Answers (1)
gcochard
Reputation: 11744
I would say the session cookie is (sub)domain specific.
You need to redirect all requests from one domain to the other to force the browser to only use one session.
Upvotes: 1
Related Questions
- ASP.NET WebForms Authentication Logout, Cookie can still be used to access site
- Page.User.Identity.IsAuthenticated still true after FormsAuthentication.SignOut()
- ASP.Net Session Not Invalidated After Logout
- FormsAuthentication.SignOut() does not log the user out
- forms authentication - no logout
- Forms Authentication Session Valid After Logout
- Single Sign-on SignOut problem : FormsAuthentication.SignOut() is not working
- FormsAuthentication.SignOut not working as expected
- Asp.net LoginStatus - 'log out' shows but not logged in yet
- ASP.NET Forms Authentication - Logging off