Menu
Is there a good way to invalidate a Forms Authentication session from the server?
I understand that the cookie has an embedded expiration, but I want to do an additional check on the server to verify that the user has not manually signed out. When a user manually signs out, I call FormsAuthentication.SignOut() which expires the cookie. However, if I use a developer tool to set the cookie back to its original value, I am still logged in.
One option I can think of would be to embed the "login id" into the UserData portion of the ticket. By this, I mean that each login is recorded in a database and there is an id associated with it. When a user manually logs out, I could update the database record to show they have done so. This however, would require me querying the database each time a user was authenticated (not ideal). I could maintain a cache, but it seems like that would be a lot of work and I was hoping there was an easier way :)
Thanks!
984
MSDN documents the limitations. Main point: Use persistent storage on the server to record when a user logs out of the Web site.
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
