CODEWITHSUNDEEP
asp.netforms-authentication
Curtis
Curtis

Reputation: 485

FormsAuthentication.SignOut not working as expected

I'm using Forms authentication in my asp.net web app. When the user clicks the 'sign out' button, I execute the following code:

  FormsAuthentication.SignOut();
  FormsAuthentication.RedirectToLoginPage();

which works. The problem is, before signing out, if I copy the url of the restricted page that I'm currently on, then sign out, I can paste the URL back into the browser and return to the restricted page, bypassing the login page.

My web config looks like this:

<authentication mode="Forms">
    <forms name="NoiseAdvisor" loginUrl="~/Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" defaultUrl="~/Restricted/Home.aspx"/>
</authentication>

Is there something I'm missing?

Upvotes: 0

Views: 2647

Answers (4)

Korayem
Korayem

Reputation: 12507

This works for me

public virtual ActionResult LogOff()
    {
        FormsAuthentication.SignOut();
        foreach (var cookie in Request.Cookies.AllKeys)
        {
            Request.Cookies.Remove(cookie);
        }
        foreach (var cookie in Response.Cookies.AllKeys)
        {
            Response.Cookies.Remove(cookie);
        }
        return RedirectToAction(MVC.Home.Index());
    }

Upvotes: 0

Jack Marchetti
Jack Marchetti

Reputation: 15754

Have you checked to make sure you're restricting the page correctly?

Such as:

  <location path="RestrictedPage.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Or, you can physically check on the restricted page:

if (!(HttpContext.Current.User == null))
    if (HttpContext.Current.User.Identity.IsAuthenticated)
          // show restricted content

Upvotes: 0

Sam
Sam

Reputation: 10123

When you "paste" a URL into your browser, it is going to give you a cached version of the page (same view as your last visit) unless you've explicitly disabled client caching for the page. As cdonner mentioned, press Shift+F5 and I'm guessing it will kick you to the login page.

Upvotes: 0

cdonner
cdonner

Reputation: 37708

Can you confirm that the page is not cached by your browser and you are actually seeing a cached version? Press Shift-F5 and see if the page refreshes or if you are redirected to the login page instead. If that is the case, you can play with the cache settings to make sure users cannot go back to the page.

Upvotes: 1

Related Questions