Menu
You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout. public ActionResult LogOff() { FormsAuthentication. SignOut(); Session. Clear(); // This may not be needed -- but can't hurt Session.
Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.
The ASPXAUTH cookie is used to determine if a user is authenticated. As far as the location of the cookie, that depends on your browser. If you are using Firefox you can view the cookie by clicking on Tools -> Options -> Privacy. Then scroll down to the domain and expand it to see the cookie and its value.
SetAuthCookie(String, Boolean, String)
I have an ASP.NET (MVC) website that is serving static content (images) as well as dynamic content from the same domain. The site uses forms auth, and has a login controller. There have been some very strange / irregular issues with people finding themselves logged in or out at random intervals, and we've tracked it down to an issue with a reverse proxy caching an image file that has a set-cookie response header that sets the auth cookie. Once this is cached, everyone then gets the same auth cookie, which leads to some very weird outcomes.
My question is - how on earth would an image get a set-cookie header in the first place? What is the ASP.NET forms authentication module doing to cause this - surely it sets the cookie on the main HTML content response. I get that the auth cookie is then sent with all subsequent requests to the domain, but I cannot figure out how the cookie is set in the first place.
(BTW this issue may also be the culprit in at least two existing large ecommerce sites that are suffering from similar problems, with no solution, so it would be a good one to solve).
The response is shown below (taken from fiddler).
HTTP/1.1 200 OK
Cache-Control: public, max-age=86400,max-age=86400
Content-Type: image/png
Last-Modified: Thu, 04 Nov 2010 16:00:52 GMT
Accept-Ranges: bytes
ETag: "0528474397ccb1:0"
Server: Microsoft-IIS/7.5
Set-Cookie: my-auth-cookie=6BC25F1EF71989466A48C0120E7739E; path=/; HttpOnly
Date: Wed, 17 Nov 2010 17:15:08 GMT
Content-Length: 15790
Update: additional info - we are using IIS 7.5 on Win2008 R2, 64bit, and the app is running under an app pool that is using the integrated pipeline / .net 4.
Update 2: I am not looking for a solution to the problem, we have one already. I am looking for an answer to the question, which is why it happened in the first place? Please don't answer telling me about subdomains or how cookies work!
Update 3: adding in the request:
GET https://www.example.com/sprite.png HTTP/1.1
Host: www.example.com
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: my-auth-cookie=6BC25F1EF71989466A48C0120E7739E;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With