开发者

FormsAuthentication.SignOut() on server

开发者 https://www.devze.com 2022-12-29 11:34 出处:网络
开发者_高级运维FormsAuthentication.SignOut(), in so far as I understand it, just kills the cookie in your browser. Ie if cookie to save and after FormsAuthentication.SignOut () use again, the user is
开发者_高级运维

FormsAuthentication.SignOut(), in so far as I understand it, just kills the cookie in your browser. Ie if cookie to save and after FormsAuthentication.SignOut () use again, the user is authenticated. How to kill a session on the server? Ie make any cookie does not valid?

I have ASP.NET MVC.

HttpContext.Session.Abandon() does not work.


By using the default forms authentication mechanism you cannot achieve this. The cookie will be valid for a given period of time and if a hacker gets hold of this cookie, no matter what you do, during this period of time he will be able to enter the site. The only way to achieve this is to handle it manually by storing the tokens into the database and expiring them upon FormsAuthentication.SignOut() so that they cannot be reused.

So my advice:

  • Always use SSL
  • Define a fixed expiration period for the cookies, never set slidingExpiration to true.


You don't. Well, you could change the machine key, but that would require bouncing the server and would make everyone's cookie invalid.

What you are asking is something that Forms authentication does not provide. Forms authentication does not store a persistent list of valid cookies. You would have to write or find a custom provider (or customize Forms) to do this.


This works for me

public virtual ActionResult LogOff()
    {
        FormsAuthentication.SignOut();
        foreach (var cookie in Request.Cookies.AllKeys)
        {
            Request.Cookies.Remove(cookie);
        }
        foreach (var cookie in Response.Cookies.AllKeys)
        {
            Response.Cookies.Remove(cookie);
        }
        return RedirectToAction(MVC.Home.Index());
    }
0

精彩评论

暂无评论...
验证码 换一张
取 消