Unable to logout after specifying "domain" parameter in "authentication" of web.config

Question

I have logout handler which used to work fine:

    public void ProcessRequest(HttpContext context)
    {
        //// Sign out
        System.Web.Security.FormsAuthentication.SignOut();

        //// Clear Session
        if (context.Session != null)
        {
            context.Session.Clear();
        }

        /// Expire all the cookies so browser visits us as a brand new user
        List<string> cookiesToClear = new List<string>();
        foreach (string cookieName in context.Request.Cookies)
        {
            HttpCookie cookie = context.Request.Cookies[cookieName];
            cookiesToClear.Add(cookie.Name);
        }

        foreach (string name in cookiesToClear)
        {
            HttpCookie cookie = new HttpCookie(name, string.Empty);
            cookie.Expires = DateTime.Today.AddYears(-1);

            context.Response.Cookies.Set(cookie);
        }
        context.Response.Redirect("~/default.aspx");
    }
}

Once I added "domain" parameter to the authentication section of web.config:

        <forms timeout="50000000" 
               loginUrl="~/login" 
               domain='mysite.com'/>

... it is no longer logging the user out - after it redirects to "~/default.aspx" I can still see the user logged in (I put a breakpoint to Load event of that page and check HttpContext.Current.User.Identity.IsAuthenticated, and its still = true).

Then I remove "domain='mysite.com'" and it logs the user out without problems.

I do need to specify the domain because I added a subdomain with its own application but I want it to share authentication cookie.

Any ideas are highly appreciated!

Answer 1

Please specify domain =".mysite.com"

Answer 2

When I recreate cookies to expire, I need to specify the domain:

cookie.Domain = FormsAuthentication.CookieDomain;

That solves the problem.