What is keeping the users logged in after cookies are cleared in IE?

Question

I'm having an issue where even after deleting the users cookies they are still logged in to my ASP.NET MVC site (IIS 6). HOWEVER, this only happens on my clients machine, my IE 8 on Win7 does NOT have this issue and the normal log out method works fine. It seems they need to close out the browser before it will release them from being able to access the site after clicking logout (they are using IE 8 as well). Any idea what the deal is? Note: It works fine in Firefox for the client.

The logout process is as follows:

• delete custom web app 'remember my login' cookies
• redirect to federation server which logs them out of ADFS and deletes the FS cookies
• they are stopped at 'logout complete' page on the federation server

...but when they to browse the app again, they are let in right away!

Answer 1

If your cookies are deleted, there are five things which could cause this (in descending order of likelihood):

• The user has performed HTTP Basic authentication at some point. If this has happened, the browser caches the auth credentials and the only way to log out is to close the browser.
• There is an LSO (Flash object) keeping session state around or recreating the cookies.
• You are checking for something based on the user's IP address.
• The page is cached and the user isn't actually logged in.
• The client is doing SPNEGO authentication using their local user credentials, so they're actually logging in to your site again each time they visit it. You just don't notice, because SPNEGO requires no user intervention.

Those are the only reasons I can think of for this happening.