Reputation: 6971
Asp.net get rid of session on server on logout
I am having trouble with a security issue of asp.net. On log out I want to make sure the session is destroyed so that someone can't take the same sessionid and auth cookies and edit there cookies and the server still responses to the session.
FormsAuthentication.SignOut();
Session.Abandon();
Session.RemoveAll();
Session.Clear();
I have tried using the following in different orders and still no dice. I can am still logged in if I use the original sessionid and Auth cookies. I want the server to totally forget about that sessionid when I logout. Is this even possible ?
Upvotes: 1
Views: 1095
Answers (2)
Reputation: 3315
If you are using forms authentication, you are probably not calling FormsAuth.SignOut();
Upvotes: 0
Reputation: 17614
If you are using FormAuthentication then you can use
FormsAuthentication.SignOut();
Session.Abandon();
You can also expire the cookies as follows
// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
Upvotes: 3
Related Questions
- How to clear out session on log out
- Delete cookie on clicking sign out
- Asp.net get rid of session on server on logout after clearing cookies, session, and formsauth
- session logout in asp.net
- Remove cookie on log-out
- ASP .NET Login Session How to destroy session object when logging out from Home Page?
- ASP.NET Remove Session/Cookies
- Session Cookie, auto logout
- Cookies and session in asp.net how to delete it after the user clicks sign out button
- Clear session in logout.ashx