FormsAuthentication.SignOut() does not work

Question

I'm developing a website with a secure part, that is the folder named 'PIP'.

The login part works okay, but when i click logoff the user is still known and won't be redirected to the login page if he/she touches the secure part.

Here is my web.config:

<system.web>

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH">
  </forms>
</authentication>

</system.web>

<location path="PIP">
<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
</location>

My login page where the user is authenticated:

FormsAuthentication.RedirectFromLoginPage(uid, false);

On the default.aspx page in the secured folder (PIP) has a logoff button, the code behind that button:

FormsAuthentication.SignOut();
Response.Redirect("~/Default.aspx", true);

On the page "Default.aspx" is a link that goes to ~/PIP/Default.aspx, it should be redirected to the login page but is does not. It seems the session is not affected by the signout.

I've tried a lot of options, manually deleting the sessions. Session.Clear, Session.Abandon but nothing seems to be working.

I hope you guys can point me in right direction!

Thanks in advance.

Answer 1

Response.Cookies.Clear();
                FormsAuthentication.SignOut();
                Session.Abandon();
                if (Request.Cookies["FedAuth"] != null)//Fedauth is Your Cookie name that get in borowser below your site url
                {
                    HttpCookie myCookie = new HttpCookie("FedAuth");
                    myCookie.Expires = DateTime.Now.AddDays(-1d);
                    Response.Cookies.Add(myCookie);
                }

This works for sharepoint 2019

Answer 2

Set expired cookies:

HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
cookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(cookie);

Answer 3

Do you have any other instances of IE open before, during, or after you sign out? If not, you can find that the cookie still exists in a shared cookie element of IE.

Do you have any expiry set on your web pages? If not, the page may still be in your browser cache and the Forms Authentication check on the server will not be called.

If you close your browser and try and go to a protected resource again and have to log in then it is configured correctly.... The Session cookie is not used as part of the Forms Authentication process so you need not worry about it - FormsAuthentication.SignOut() is the correct way to do this.

In your Global.asax.cs add the following event handler - if you don't already have it - and put a breakpoint on it. If you hit the breakpoint for subsequent requests after you've called LogOff then you can crack open the cookie and have a look inside it - my guess is that you won't hit this breakpoint because the requests are being served from the cache.

    protected void Application_BeginRequest(object sender, EventArgs e) 
    {}

To crack open the cookie:

                HttpRequest currentRequest = HttpContext.Current.Request;

            // Attempt to get the Forms Auth Cookie from the Request
            HttpCookie authenticationCookie = currentRequest.Cookies[FormsAuthentication.FormsCookieName];

            if(authenticationCookie != null)
            {
                // Crack the Cookie open
                var formsAuthenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value);

                // breakpoint here to see the contents of the ticket.
                if (formsAuthenticationTicket.Expired)
                {

                }
            }

It is also worthwhile trying this in Firefox or Chrome as they seem better at getting rid of the cookie immediately.

To disable caching you can put the following in one of the pages:

    private static void SetImmediateExpiryOnResponse(HttpResponse response)
    {
        response.Cache.SetAllowResponseInBrowserHistory(false);
        response.Cache.SetCacheability(HttpCacheability.NoCache);
        response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
        response.Cache.SetNoStore();
        response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
        response.Expires = -1;
        response.ExpiresAbsolute = DateTime.Now.AddDays(-1);
        response.CacheControl = "no-cache";
    }

Answer 4

Using the LoginView Control may solve your problem.

One of my website have this configuration on web.config

<authentication mode="Forms">
        <forms loginUrl="~/Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" 
               defaultUrl="Login.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
    </authentication>

Then in my protected area i've created a new web.config with only this few lines :

<configuration>
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

And in the MasterPage i use the LoginView Control :

<asp:LoginView ID="HeadLoginView" runat="server" EnableViewState="false">
      <AnonymousTemplate>
        <a href="../LoginReservedArea.aspx">Area Clienti</a>
        <%--[ <a href="~/Login.aspx" ID="HeadLoginStatus" runat="server">Log In</a> ]--%>
    </AnonymousTemplate>
    <LoggedInTemplate>
        Welcome <asp:LoginName ID="HeadLoginName" runat="server" />
        [<asp:LoginStatus ID="HeadLoginStatus" runat="server" LogoutAction="RedirectToLoginPage" LogoutText="Log Out" />]
    </LoggedInTemplate>
</asp:LoginView>

Here there is a reference to loginview control and you can read that

Logging out of the Web site clears the user's authentication status and when using cookies will clear the cookie from the user's client computer.

So i think that if you don't use the loginview control you have to clear the cookie manually.

Answer 5

You need to abandon the session after signing out.

FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/Default.aspx", true);