Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

FormsAuthentication.SignOut Not Working With Custom-Domain Cookie

Tags:

asp.net

asp.net-mvc

cookies

forms-authentication

dns

Title should say it all.

Here's the code to set the cookie:

// snip - some other code to create custom ticket
var httpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encodedTicket);
httpCookie.Domain = "mysite.com";
httpContextBase.Response.Cookies.Add(httpCookie);

Here's my code to signout of my website:

FormsAuthentication.SignOut();

Environment:

  • ASP.NET MVC 3 Web Application

  • IIS Express

  • Visual Studio 2010

  • Custom domain: "http://localhost.www.mysite.com"

So when i try and log-off, the cookie is still there. If i get rid of the httpCookie.Domain line (e.g default to null), it works fine.

Other weird thing i noticed is that when i set the domain, Chrome doesn't show my cookie in the Resources portion of developer tools, but when i dont set the domain, it does.

And secondly, when i actually create the cookie with the custom domain, on the next request when i read in the cookie from the request (to decrypt it), the cookie is there, but the domain is null?

I also tried creating another cookie with the same name and setting the expiry to yesterday. No dice.

What's going on? Can anyone help?

like image 805
RPM1984 Avatar asked Oct 18 '11 02:10

RPM1984

1 Answers

I believe if you set the domain attribute on the forms element in you web.config, to the same as the one in your custom cookie, it should work. (EDIT: that approach won't work because the SignOut method on FormsAuthentication sets other flags on the cookie that you are not, like HttpOnly) The SignOut method basically just sets the cookie's expiration date to 1999, and it needs the domain to set the right cookie.

If you can't hardcode the domain, you can roll your own sign out method:

private static void SignOut()
{
    var myCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
    myCookie.Domain = "mysite.com";
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    HttpContext.Current.Response.Cookies.Add(myCookie);
}

An authentication cookie is just a plain cookie; so you would remove it the same way you would any other cookie: expire it and make it invalid.

like image 115
vcsjones Avatar answered Oct 06 '22 12:10

vcsjones
Sign in to Comment

Related questions

ASP.NET MVC IgnoreRoute() by domain
Using Proxy PAC with EWS API
Update textbox from 1st UpdatePanel using LinkButton from 2nd UpdatePanel's gridview. Control could not be found
Asp.Net Identity - Updating Claims After Login
HttpRequest describable to string
Could not get conversion result header. Data transfer error. Data transmission error 109
Visual Studio Diagnostic Tools under reporting compute time
Reduce ASP.NET menu control size (without 3rd party libraries)
ASP.NET MVP - Utilizing User Controls
Asp.net open-source project as a learning source in c# [closed]
How do I share common web resources between web applications in Visual Studio?
What is a good build automation and deployment process for use with asp.net?
ASP.Net Change MasterPage Programmatically
How to pass Model from a view to a partial view?
IIS 7.5, ASP.NET, impersonation, and access to C:\Windows\Temp
JSON array type resolution in ASP.Net webservices
How to determine if a CultureInfo instance supports Latin characters
Could not render the url. Could not get image from url.Navigation timeout
How do I handle user arrival-at-page via browser-back-button?
What are the drawbacks to setting Page.ClientTarget = "uplevel" for all pages?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!