ASP ASPXAUTH authentication cookie not cleared on sign/log out

Question

I'm using ASP authentication and the integrated webservice.

The user logins in with Forms authentication on a login page.
To log out, I call the authentication webservice from Silverlight and call logout.

Everything worked OK but now sometimes IE gets crazy and doesn't log out the user anymore.

I used Fiddler and it turns out that the authentication service returns a SetCookie to clear the ASPXAUTH cookie but on the next call IE still has the cookie set.
So off course because the cookie is there the user is authenticated and logs right back in rather than being directed to the login page.

I checked and didn't see any other description of the issue. I can't reproduce it and my colleagues that have a misbehaving IE have it working fine on one environment and not on the other (one has the issue for DEV and another has the issue for the PreProd server).

Any idea what may be going on?

Answer 1

I had this issue, and to make sure, the user gets logged out, now I use the following piece of code:

        FormsAuthentication.SignOut();

        // Drop all the information held in the session
        Session.Clear();
        Session.Abandon();

        // clear authentication cookie
        HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
        cookie1.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie1);

        // clear session cookie
        HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
        cookie2.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(cookie2);

        // Redirect the user to the login page
        Response.Redirect("YourLoginPage.aspx", true);

Answer 2

To avoid this issue, the moment you make the SignOut, then the next call must be with Redirect(pageLogOut, true); and stop any other activities until its fully redirect. The parameter true is very important.

After you call the SignOut(), you must force the browser to flush the cookies data because if authenticate request again the cookie for any reason then the cookie is get more time to live and its not delete it from the browser as you ask for with the SigntOut command.

So after the SignOut, make a redirect to a page - or make sure that you flush the cookies to the browser and not ask again anything that have do with the authenticate of the user until the cookies are totally write down to the browser.

Hope this help.