FormsAuthentication.SignOut throwing NullReferenceException

Question

This problem seems related to this post, but I was not able to infer a solution from the thread.

I noticed this code in an application I inherited (after noting in a log file that an exception was being eaten):

    protected void Session_End(object sender, EventArgs e)
    {
        try
        {
            FormsAuthentication.SignOut();
            FormsAuthentication.RedirectToLoginPage();
            //if (this.Context.Handler is IRequiresSessionState || this.Context.Handler is IReadOnlySessionState)
            //{
            //    FormsAuthentication.SignOut();
            //    FormsAuthentication.RedirectToLoginPage();
            //}
        }
        catch (Exception ex)
        {
            this.GetType().GetLogger().Error(ex);
        }
    }

I am wondering a few things. First, how is SignOut throwing a null reference exception? Is it an exceptional case, or am I doing something inherently wrong in my program? Next, what should I be testing against to head-off this exception before it is thrown?

15:51:57,288 [13] ERROR ASP.global_asax - System.NullReferenceException: Object reference not set to an instance of an object. at System.Web.Security.FormsAuthentication.SignOut() at MvcApplication.Session_End

Thanks

Answer 1

It's important to realize that Session_End doesn't get necessarily executed in the the context of an HTTP request. It may run when a session times out. You cannot send anything to the client at that time, because it simply isn't there anymore!

Consequently, you should not try to delete the forms authentication cookie in Session_End. If you want, you should do that sooner, when a "Sign Off" button is clicked somewhere in your application. If you need a user's forms authentication ticket to expire after a timeout occures, you should simply set the cookie expiration time appropriately (possibly equivalent to session timeout value) in the config file.