🤩 New Cool Developer Tools for you. Explore →
FREE JavaScript Video Series Start Learning →
FLAT 75% OFF All Interactive courses at flat ₹250 / $3.25 only. HURRRRRY!! Explore now
  Signup/Sign In
Tests
MCQs to test your knowledge.
Forum
Engage with the community.
Compilers
Compilers to execute code in browser.
← Back to Questions
Ask Question
Not satisfied by the Answer? Still looking for a better solution?
Ask Question

FormsAuthentication.SignOut() does not log the user out

Smashed my head against this a bit too long. How do I prevent a user from browsing a site's pages after they have been logged out using FormsAuthentication.SignOut? I would expect this to do it:
FormsAuthentication.SignOut();

Session.Abandon();

FormsAuthentication.RedirectToLoginPage();


But it doesn't. If I type in a URL directly, I can still browse to the page. I haven't used roll-your-own security in a while so I forget why this doesn't work.
forms-authentication asp-net
by

2 Answers

Amit8z4mc
Sounds to me like you don't have your web.config authorization section set up properly within . See below for an example.
<authentication mode="Forms">

  <forms name="MyCookie" loginUrl="Login.aspx" protection="All" timeout="90" slidingExpiration="true"></forms>

</authentication>

<authorization>

  <deny users="?" />

</authorization>
sandhya6gczb
Users can still browse your website because cookies are not cleared when you call FormsAuthentication.SignOut() and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don't, bug? Its exactly the same with Session.Abandon(), cookie is still there.

You should change your code to this:


FormsAuthentication.SignOut();

Session.Abandon();



// clear authentication cookie

HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");

cookie1.Expires = DateTime.Now.AddYears(-1);

Response.Cookies.Add(cookie1);



// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)

SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");

HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");

cookie2.Expires = DateTime.Now.AddYears(-1);

Response.Cookies.Add(cookie2);



FormsAuthentication.RedirectToLoginPage();

Login / Signup to Answer the Question.

LoginSignup