FormsAuthentication.SignOut(), in so far as I understand it, just kills the cookie in your browser. Ie if cookie to save and after FormsAuthentication.SignOut () use again, the user is authenticated. How to kill a session on the server? Ie make any cookie does not valid?
I have ASP.NET MVC.
HttpContext.Session.Abandon() does not work.
You don't. Well, you could change the machine key, but that would require bouncing the server and would make everyone's cookie invalid.
What you are asking is something that Forms authentication does not provide. Forms authentication does not store a persistent list of valid cookies. You would have to write or find a custom provider (or customize Forms) to do this.
By using the default forms authentication mechanism you cannot achieve this. The cookie will be valid for a given period of time and if a hacker gets hold of this cookie, no matter what you do, during this period of time he will be able to enter the site. The only way to achieve this is to handle it manually by storing the tokens into the database and expiring them upon FormsAuthentication.SignOut() so that they cannot be reused.
So my advice: