ansaurus

Question

Unable to logout from ASP.NET MVC application using FormsAuthentication.SignOut()

Answer 1

+1 A:

That's strange... I make one single call to: FormsAuthentication.SignOut(); and it works...

public ActionResult Logout() {
  FormsAuthentication.SignOut();
  return Redirect("~/");
}

Palantir 2010-10-08 09:53:22

I used reflector and saw what the FormsAuth.SignOut() was doing. It does the same thing i am trying to accomplish. that is setting the cookie's expires property to the previous date. But it carefully adds the cookie to the response , but i dint do that , that is the issue here. Thanks for the help!

vijaysylvester 2010-10-15 01:33:21

Answer 2

+1 A:

To correctly answer your question, I'd have to know how do you secure your "secure" pages.
I suspect that you're doing something wrong there.

A simple call to FormsAuthentication.SignOut() should be enough, as it clears the authentication cookie, thus making the other method calls you make there redundant.

With ASP.NET MVC, you have to use the AuthorizeAttribute on an action method to disallow non-authenticated visitors to use it. (Meaning: the old way you did it with Web Forms by specifying location tags in Web.config no longer works with MVC.)

For example, here is a small code snippet from my ForumController class:

public class ForumController : Controller
{
    ...

    [Authorize]
    public ActionResult CreateReply(int topicId)
    {
        ...
    }

    ...
}

Venemo 2010-10-08 09:53:56

To be clear , Even if you clear the cookie at server side using SignOut(), The Client passes the Forms Auth Cookie at the next request. To prevent this i am adding a cookie with same name , but with an expired time.

vijaysylvester 2010-10-08 10:08:39

@vijaysylvester - Well then, how do you explain that it works for me and @Palantir too?

Venemo 2010-10-08 10:19:04

@vijaysylvester - you are correct that the cookie will still be sent (until it is expired), but it wont matter, as this cookie will be seen as 'stale' to ASP.NET. There are other steps to bolster this, such as absolute expiration and SSL - but the 'hack' of adding a cookie with the same name is not one of them. I dont think FormsAuth is the problem here.

RPM1984 2010-10-08 10:24:47

@Venemo: Cheers mate! You both were successful in the 1st line that is FormsAuthentication.SignOut() , Since i was not , i tried other options as well. As simple as that.

vijaysylvester 2010-10-08 10:25:14

Im confused, are you saying you `didnt` have FormsAuthentication.SignOut() in your original code? Then why is it in the question?

RPM1984 2010-10-08 10:29:05

@RPM1984 : To be clear , i dint achieve what i intended to do using FormsAuthentication.SignOut() method, so i went on with adding expired cookie with same name hence forth.

vijaysylvester 2010-10-08 10:34:06

@vijaysylver - that's actually not clear at all. What do you mean you "didnt achieve what you intended". FormsAuthentication.Signout() is intended to signout (aka logout) a authenticated user from a website. What else do you "intend" it to do?

RPM1984 2010-10-08 10:40:24

@RPM1984 : I intended to logout , the method didnot facilitate that, so was trying with other options.

vijaysylvester 2010-10-08 11:06:00

Answer 3

A:

Check if you use on the requireSSL="true".

If you do then you need to be on secure page (ssl) for do anything with the login/logout. Do you ?

If you are not on ssl connection then its not going to read/write the cookie.

Aristos 2010-10-08 10:45:17

ansaurus

tags:

views:

answers:

Unable to logout from ASP.NET MVC application using FormsAuthentication.SignOut()

related questions