FormsAuthentication.SignOut Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Removes the forms-authentication ticket from the browser.
public:
static void SignOut();
public static void SignOut ();
static member SignOut : unit -> unit
Public Shared Sub SignOut ()
Examples
The following code example clears the forms-authentication cookie using the SignOut method and redirects the user to the login page using the RedirectToLoginPage method.
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
public void LoginLink_OnClick(object sender, EventArgs args)
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASP.NET Example</title>
</head>
<body>
<form id="form1" runat="server">
Welcome <b><%=User.Identity.Name%></b>. Not <b><%=User.Identity.Name%></b>?
Click <asp:LinkButton id="LoginLink" Text="here"
OnClick="LoginLink_OnClick" runat="server" />
to sign in.
<!-- Page Contents -->
</form>
</body>
</html>
<%@ Page Language="VB" %>
<%@ Import Namespace="System.Web.Security" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
Public Sub LoginLink_OnClick(sender As Object, args As EventArgs)
FormsAuthentication.SignOut()
FormsAuthentication.RedirectToLoginPage()
End Sub
</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>ASP.NET Example</title>
</head>
<body>
<form id="form1" runat="server">
Welcome <b><%=User.Identity.Name%></b>. Not <b><%=User.Identity.Name%></b>?
Click <asp:LinkButton id="LoginLink" Text="here"
OnClick="LoginLink_OnClick" runat="server" />
to sign in.
<!-- Page Contents -->
</form>
</body>
</html>
Remarks
The SignOut method removes the forms-authentication ticket information from the cookie or the URL if CookiesSupported is false
. You can use the SignOut method in conjunction with the RedirectToLoginPage method to log one user out and allow a different user to log in.
If you run exclusively in cookieless mode, or if you support both authenticated and anonymous users, you should explicitly control the redirect to the login page if you require special business logic to execute as a result of removing the anonymous identifier.
When the SignOut method is called, a redirect to the application's login page is made by calling the Redirect method with the endResponse
parameter set to false
. The redirect does not take place until the current page has finished executing, so additional code can be run. If the code does not contain an explicit redirect to another page, the user is redirected to the login page configured in the application's configuration file.
Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie. To improve security when using a forms authentication cookie, you should do the following:
Use absolute expiration for forms authentication cookies by setting the SlidingExpiration property to
false
. This limits the window in which a hijacked cookie can be replayed.Only issue and accept authentication cookies over Secure Sockets Layer (SSL), by setting the RequireSSL property to
true
and by running the entire Web site under SSL. Setting the RequireSSL property totrue
ensures that ASP.NET will never send an authentication cookie to the browser over a non-SSL connection; however, the client might not honor the secure setting on the cookie. This means the client might send the forms authentication cookie over a non-SSL connection, thus leaving it vulnerable to hijack. You can prevent a client from sending the forms authentication cookie in the clear by running the entire Web site under SSL.Use persistent storage on the server to record when a user logs out of the Web site, and then use an application event such as PostAuthenticateRequest event to determine whether the current user was authenticated with forms authentication. If the user was authenticated with forms authentication, and if the information in persistent storage indicates the user is logged out, immediately clear the authentication cookie and redirect the browser back to the login page. After a successful login, update storage to reflect that the user is logged in. When you use this method, your application must track the logged-in status of the user, and must force idle users to log out.