tags:

views:

1672

answers:

6
+1  Q: 

How do you implement a "Logout" link using ASP.NET MVC?

This seems like a pretty stupid question, but I'm trying to figure out the best way to do this. Would you simply redirect to a /Logout page and have the controller call the FormsAuthentication.SignOut function?

That was my first thought, but then I wondered if it could be abused by third party websites. Let's say someone just decides to post a link to your /Logout page. The user would get signed out of your application. Is there a good way to prevent that?

A: 

You should look for a cookie or something that identifies the client as the true user.

SaaS Developer  2008-10-21 00:20:43
How would that help? The user would still be logged out when they clicked the link.
Kevin Pang  2008-10-21 00:22:59
Doesn't this problem exist with any web application, built with any language, where logging out involves going to some kind of logout page? You could check the referrer and make sure that the user came from the same domain, but that's not always reliable.
Mun  2008-10-21 00:27:02
A: 

This is what I use.

public ActionResult Logout()
{
    FormsAuth.SignOut();
    return RedirectToAction("Index", "Home");
}

Seems to work fine.

Third party websites are only going to log themselves out. So they wouldn't be achieving anything different from actually clicking Logout.

Schotime  2008-10-21 00:24:27
So let's say your app is located at http://url.com and your logout page is http://url.com/logout. If a third party website posted a link to http://url.com/logout, any users that are logged into your app that click that link will log themselves out, right?
Kevin Pang  2008-10-21 00:27:36
Can you check to see if it is a postback in MVC? if so, then logout, otherwise just redirect to the index view?
Mark  2008-10-21 00:30:50
@kevin, Only the 3rd party app would be logged out. No users currently using your application would be logged out until they clicked it themselves.@Mark You could allow only GET requests to the controller.
Schotime  2008-10-21 03:10:25
+1  A: 

If you are concerned about a user getting accidentally logged out of you application through the use of a malicious link, you can check the Referrer to make sure that the logout is coming from your site (or is NULL in the case where the user simply types the URL in).

I actually don't worry about this since logging someone out is annoying but not necessarily a security risk.

tvanfosson  2008-10-21 00:36:45
My thoughts as well. While annoying, it's not a security risk.
Mike Brown  2008-10-21 00:40:51
I agree, I don't think maliciously logging people out is a big problem. And they would have had to had left your site anyway to go to the other site so having to log back in when they return shouldn't be a problem.
Craig  2008-10-21 00:58:31
Referrers can be spoofed way to easily. Check the CSRF answer.
Chuck  2009-08-21 19:42:51
My last point was that while annoying it's not particularly egregious. I regard a spoofed Referer in this case to be innocuous and wouldn't put much effort into verifying that the logout is coming from the correct host. It goes without saying that it should be a GET request and not be allowed to modify any data directly.
tvanfosson  2009-08-21 19:47:23
+2  A: 

Such a malicious link would be an example of a class of security vulnerabilities known as cross site request forgery, CSRF. A logout link is relatively harmless, but a remote site could set up a number of hidden forms and post them to your site to perform any action possible through POST.

The most common counter-measure is to include a challenge, a random hidden value in each form, and then check for that value. Checking the referer header could work, but note that some browsers don't send referer at all.

Read more: http://en.wikipedia.org/wiki/Cross-site_request_forgery

jakber  2008-10-21 00:59:49
+1  A: 

The new ASP.net MVC Beta contains an AccountController, which may be worth looking at, as it essentially implements everything from Registration to Login/Logout to Forgot Password functionality. Not sure how good it is, but a good starting Point for sure.

Michael Stum  2008-10-21 01:01:48
BTW, Mike, congrats on being the first CrackOverflow addict to break 10k.
Will  2008-10-21 01:20:56
A: 

Derive from ActionResult

public class LogoutResult : ActionResult
{
 private readonly IAuthenticationService _authenticationService;
 private readonly IWebContext _context;

 public LogoutResult(IAuthenticationService authenticationService, IWebContext context)
 {
  _authenticationService = authenticationService;
  _context = context;
 }

 public override void ExecuteResult(ControllerContext context)
 {
  _authenticationService.Logout();
  _context.Abandon();
  _context.Redirect("~/");
 }
}
Matt Hinze  2008-10-21 03:20:26

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data