CODEWITHSUNDEEP
asp.net-mvcsessionauthenticationasp.net-mvc-4forms-authentication
Jhorra
Jhorra

Reputation: 6321

ASP.Net MVC app logout not completely logging out

This app is running in an environment where some users are still using IE7 if that makes any difference. What we're seeing is occasionally after someone logs out and someone else logs in they still get residue from the previous person where it may show that persons profile. Any suggestions would be greatly appreciated.

I'm using the following as the logout method in my asp.net mvc app

public ActionResult LogOff()
{

    System.Web.HttpContext.Current.Response.Cookies.Clear();
    FormsService.SignOut();
    Session["User"] = null;
    Session.Clear();
    Session.Abandon();
    Session.RemoveAll();

    return Redirect("/");
}

The app is using sessions saved into the database because it's running on two different web servers.

Here's some settings from the web.config

<sessionState sqlConnectionString="LiveDB" />
<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<membership>
  <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LiveDB" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="50" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
  </providers>
</membership>
<profile>
  <providers>
    <clear />
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="LiveDB" applicationName="/" />
  </providers>
</profile>
<roleManager enabled="true">
  <providers>
    <clear />
    <add connectionStringName="LiveDB" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

Upvotes: 2

Views: 8777

Answers (2)

Win
Win

Reputation: 62260

If you use FormAuthentication to login like this - 

FormsAuthentication.SetAuthCookie("username", false);

then Logout is supposed to be 

FormsAuthentication.SignOut();

If you still have issue, you can force cookie to expire like this.

Upvotes: 4

Andrey Gubal
Andrey Gubal

Reputation: 3479

Membership and Session providers works separetly. Two members may use one session. That is not a rule, but it can be.

I'm not sure but I have a suggetion about your problem. Session has property IsNewSession. Microsofts says, that it "Gets a value indicating whether the session was created with the current request."

So, you may try to check if the Session of login user is new, because as he may share session with old user, and, may be, this is a reason, why one sees others profile.

Upvotes: 0

Related Questions