[security] FormsAuthentication.SignOut() not deleting auth cookie

Labib Mezghanni 1 Reputation point
2021-09-15T11:16:30.39+00:00

Hello,

I'm facing an issue with the FomrsAuthentication, after signOut() the AuthCookie still exists even though expired, which causes security breach on all requests.

        FormsAuthentication.SignOut();
        Session.Abandon();
        HttpCookie adAuthCookie = FormsAuthentication.GetAuthCookie(FormsAuthentication.FormsCookieName, false);
        adAuthCookie.Expires = DateTime.Now.AddYears(-1);
        Response.Cookies.Add(adAuthCookie);

I'm using .NET 4.5.1.

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,597 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,404 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Lan Huang-MSFT 28,826 Reputation points Microsoft Vendor
    2021-09-17T08:33:17.277+00:00

    Hi @Labib Mezghanni ,
    Maybe you can add clear session cookie and check the configuration of the web.config file.
    And how do you configure cookies, can you provide the signin code?
    You can refer to the code below:

    FormsAuthentication.SignOut();  
    Session.Abandon();  
    // clear authentication cookie  
    HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");  
    cookie1.Expires = DateTime.Now.AddYears(-1);  
    Response.Cookies.Add(cookie1);  
    // clear session cookie   
    SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");  
    HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");  
    cookie2.Expires = DateTime.Now.AddYears(-1);  
    Response.Cookies.Add(cookie2);  
    FormsAuthentication.RedirectToLoginPage();  
    

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Lan Huang

    0 comments No comments