Menu
I'm developing a website with a secure part, that is the folder named 'PIP'.
The login part works okay, but when i click logoff the user is still known and won't be redirected to the login page if he/she touches the secure part.
Here is my web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
</system.web>
<location path="PIP">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
My login page where the user is authenticated:
FormsAuthentication.RedirectFromLoginPage(uid, false);
On the default.aspx page in the secured folder (PIP) has a logoff button, the code behind that button:
FormsAuthentication.SignOut();
Response.Redirect("~/Default.aspx", true);
On the page "Default.aspx" is a link that goes to ~/PIP/Default.aspx, it should be redirected to the login page but is does not. It seems the session is not affected by the signout.
I've tried a lot of options, manually deleting the sessions. Session.Clear, Session.Abandon but nothing seems to be working.
I hope you guys can point me in right direction!
Thanks in advance.
519
When FormsAuthentication.SignOut () is called, the system tells Joe to lose the key. Normally, this works, since Joe no longer has the key, he cannot get in. However, if Joe ever comes back, and does have that lost key, he is let back in!
Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie.
This means the client might send the forms authentication cookie over a non-SSL connection, thus leaving it vulnerable to hijack. You can prevent a client from sending the forms authentication cookie in the clear by running the entire Web site under SSL.
ASP.NET generates a new identity for Joe, and gives him a cookie. That cookie is like the key to the house, and as long as Joe returns with that key, he can open the lock. Each visitor is given a new key and a new lock to use. When FormsAuthentication.SignOut () is called, the system tells Joe to lose the key.
You need to abandon the session after signing out.
FormsAuthentication.SignOut();
Session.Abandon();
Response.Redirect("~/Default.aspx", true);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
