FormsAuthentication.SignOut() not working after changing the CookieDomain

Refresh

December 2018

Views

54 time

3

In the web.config, we had the following:

<authentication mode="Forms">
  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />
</authentication>

We have since updated it to this:

<authentication mode="Forms">
  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />
</authentication>

The problem is, users who are already logged in are no longer signed out when we call FormsAuthentication.SignOut().

Instead of just callign FormsAuthentication.SignOut(), I now do the following, but it still isn't signing out currently logged in users:

private static void SignOut(HttpContextBase context)
{
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);

    // clear cookies server side
    context.Request.Cookies.Clear();

    context.Session.Abandon();
    FormsAuthentication.SignOut();
}

private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)
{
    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")
    {
        Path = path,
        Domain = domain,
        Secure = false,
        Shareable = false,
        HttpOnly = httpOnly,
        Expires = DateTime.Now.AddDays(-1d)
    });
}

1 answers

2

В FormsAuthentication.SignOut()есть вызов в удаляет все предыдущие куки из ответа: context.Response.Cookies.RemoveCookie(FormsCookieName);( https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421 )

Изменение порядка все, кажется, решить проблему:

private static void SignOut(HttpContextBase context)
{
    context.Session.Abandon();
    FormsAuthentication.SignOut();

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);

    // clear cookies server side
    context.Request.Cookies.Clear();
}