Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

FormsAuthentication.SignOut throwing NullReferenceException

This problem seems related to this post, but I was not able to infer a solution from the thread.

I noticed this code in an application I inherited (after noting in a log file that an exception was being eaten):

    protected void Session_End(object sender, EventArgs e)
    {
        try
        {
            FormsAuthentication.SignOut();
            FormsAuthentication.RedirectToLoginPage();
            //if (this.Context.Handler is IRequiresSessionState || this.Context.Handler is IReadOnlySessionState)
            //{
            //    FormsAuthentication.SignOut();
            //    FormsAuthentication.RedirectToLoginPage();
            //}
        }
        catch (Exception ex)
        {
            this.GetType().GetLogger().Error(ex);
        }
    }

I am wondering a few things. First, how is SignOut throwing a null reference exception? Is it an exceptional case, or am I doing something inherently wrong in my program? Next, what should I be testing against to head-off this exception before it is thrown?

15:51:57,288 [13] ERROR ASP.global_asax - System.NullReferenceException: Object reference not set to an instance of an object. at System.Web.Security.FormsAuthentication.SignOut() at MvcApplication.Session_End

Thanks

like image 571
Sean Anderson Avatar asked Jul 06 '11 23:07

Sean Anderson


1 Answers

It's important to realize that Session_End doesn't get necessarily executed in the the context of an HTTP request. It may run when a session times out. You cannot send anything to the client at that time, because it simply isn't there anymore!

Consequently, you should not try to delete the forms authentication cookie in Session_End. If you want, you should do that sooner, when a "Sign Off" button is clicked somewhere in your application. If you need a user's forms authentication ticket to expire after a timeout occures, you should simply set the cookie expiration time appropriately (possibly equivalent to session timeout value) in the config file.

like image 73
mmx Avatar answered Nov 05 '22 23:11

mmx