Forms Authentication Session Valid After Logout

Question

Is there a good way to invalidate a Forms Authentication session from the server?

I understand that the cookie has an embedded expiration, but I want to do an additional check on the server to verify that the user has not manually signed out. When a user manually signs out, I call FormsAuthentication.SignOut() which expires the cookie. However, if I use a developer tool to set the cookie back to its original value, I am still logged in.

One option I can think of would be to embed the "login id" into the UserData portion of the ticket. By this, I mean that each login is recorded in a database and there is an id associated with it. When a user manually logs out, I could update the database record to show they have done so. This however, would require me querying the database each time a user was authenticated (not ideal). I could maintain a cache, but it seems like that would be a lot of work and I was hoping there was an easier way :)

Thanks!

Answer 1

An alternative to storing the "login id" would be to update a "login status" field in the user record.

You set it to "loggedin" when user logs in. You set it to "loggedout" together with FormsAuthentication.SignOut.

Then, somewhere early in the processing pipeline you retrieve the user record (you'll probably still need it later on!) and check the flag. If the flag is "loggedout" then something's wrong and you end the request with 401 (or another code to indicate the authentication problem).

Also of course, use short cookie expiration times together with sliding expiration and SSL. This doesn't prevent the cookie from being hijacked by yourself but lowers the risk of reusing it by someone else.

Answer 2

MSDN documents the limitations. Main point: Use persistent storage on the server to record when a user logs out of the Web site.