FormsAuthentication.SignOut() not working when manually creatinga ticket?

  • Thread starter Thread starter Matthias S.
  • Start date Start date
M

Matthias S.

Hi there,

I've created an application which is using Forms-based authentification.
My Login-Button event handler looks somewhat like this:

// validate the input, etc...
// sUserName holds now the users name

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
nRoleID.ToString(),FormsAuthentication.FormsCookiePath);

// encrypt the ticket
string sEncTicket = FormsAuthentication.Encrypt(ticket);

// set the cookie
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
sEncTicket));

It seems to work ok. But if I later use FormsAuthentication.SignOut() in
order to remove the Ticket, the ticket does not get removed. Why is this?

Thanks in advance!

Matthias
 
Matthias S. said:
Hi there,

I've created an application which is using Forms-based authentification.
My Login-Button event handler looks somewhat like this:

// validate the input, etc...
// sUserName holds now the users name

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
nRoleID.ToString(),FormsAuthentication.FormsCookiePath);

// encrypt the ticket
string sEncTicket = FormsAuthentication.Encrypt(ticket);

// set the cookie
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
sEncTicket));

It seems to work ok. But if I later use FormsAuthentication.SignOut() in
order to remove the Ticket, the ticket does not get removed. Why is this?
Click to expand...

Have you tried it with FormsAuthentication.SetAuthCookie() instead. This is
what I use and it seems to work, but I am not quite sure how this differs
from the method you are using.
 
Hi,

I can't use the SetAuthCookie, since I have to assign a specific role to
the user. But starting the authenticated session works fine, only ending
it seems problematically.

Matthias
 
I had the same problem and was able to finally get this working
recently by using this code:

FormsAuthentication.SignOut()
' force Expiration of the cookie. this should "clear"
' the client-side data. the source of the issue ???
Context.Response.Cookies.Item( _
FormsAuthentication.FormsCookieName).Expires = Date.Now
Response.Redirect("login.aspx")

If you try to use the .Remove method instead of setting the existing
Item's Expire date, the application will not work out as expected.
This must be because Context.Response.Cookies collection is server-side
and if you Remove the item from the collection, it is never returned
back to the client. If it's not returned back, it will not be removed
(on the client side). This is the role of the Expiration Date.

I am assuming the Expires to Now forces the cookie to be removed on the
client side immediately. Perhaps it is this little bit of data on the
client that is causing the problem. It actually makes sense to me, but
it would be nice if this was more apparent from the documentation.
 
Back
Top