FormsAuthentication.SignOut() not working after changing the CookieDomain











up vote
3
down vote

favorite












In the web.config, we had the following:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />

</authentication>


We have since updated it to this:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />

</authentication>


The problem is, users who are already logged in are no longer signed out when we call FormsAuthentication.SignOut().



Instead of just callign FormsAuthentication.SignOut(), I now do the following, but it still isn't signing out currently logged in users:



private static void SignOut(HttpContextBase context)

{

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);



    // clear cookies server side

    context.Request.Cookies.Clear();



    context.Session.Abandon();

    FormsAuthentication.SignOut();

}



private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)

{

    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")

    {

        Path = path,

        Domain = domain,

        Secure = false,

        Shareable = false,

        HttpOnly = httpOnly,

        Expires = DateTime.Now.AddDays(-1d)

    });

}





c# forms-authentication







share|improve this question






















  • To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
    – Simon Mourier
    Nov 13 at 21:10

















up vote
3
down vote

favorite












In the web.config, we had the following:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />

</authentication>


We have since updated it to this:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />

</authentication>


The problem is, users who are already logged in are no longer signed out when we call FormsAuthentication.SignOut().



Instead of just callign FormsAuthentication.SignOut(), I now do the following, but it still isn't signing out currently logged in users:



private static void SignOut(HttpContextBase context)

{

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);



    // clear cookies server side

    context.Request.Cookies.Clear();



    context.Session.Abandon();

    FormsAuthentication.SignOut();

}



private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)

{

    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")

    {

        Path = path,

        Domain = domain,

        Secure = false,

        Shareable = false,

        HttpOnly = httpOnly,

        Expires = DateTime.Now.AddDays(-1d)

    });

}





c# forms-authentication







share|improve this question






















  • To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
    – Simon Mourier
    Nov 13 at 21:10















up vote
3
down vote

favorite









up vote
3
down vote

favorite











In the web.config, we had the following:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />

</authentication>


We have since updated it to this:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />

</authentication>


The problem is, users who are already logged in are no longer signed out when we call FormsAuthentication.SignOut().



Instead of just callign FormsAuthentication.SignOut(), I now do the following, but it still isn't signing out currently logged in users:



private static void SignOut(HttpContextBase context)

{

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);



    // clear cookies server side

    context.Request.Cookies.Clear();



    context.Session.Abandon();

    FormsAuthentication.SignOut();

}



private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)

{

    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")

    {

        Path = path,

        Domain = domain,

        Secure = false,

        Shareable = false,

        HttpOnly = httpOnly,

        Expires = DateTime.Now.AddDays(-1d)

    });

}





c# forms-authentication







share|improve this question













In the web.config, we had the following:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />

</authentication>


We have since updated it to this:



<authentication mode="Forms">

  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />

</authentication>


The problem is, users who are already logged in are no longer signed out when we call FormsAuthentication.SignOut().



Instead of just callign FormsAuthentication.SignOut(), I now do the following, but it still isn't signing out currently logged in users:



private static void SignOut(HttpContextBase context)

{

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);



    // clear cookies server side

    context.Request.Cookies.Clear();



    context.Session.Abandon();

    FormsAuthentication.SignOut();

}



private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)

{

    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")

    {

        Path = path,

        Domain = domain,

        Secure = false,

        Shareable = false,

        HttpOnly = httpOnly,

        Expires = DateTime.Now.AddDays(-1d)

    });

}





c# forms-authentication




c# forms-authentication






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 7 at 20:33









dochoffiday

4,69762435




4,69762435












  • To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
    – Simon Mourier
    Nov 13 at 21:10




















  • To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
    – Simon Mourier
    Nov 13 at 21:10


















To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
– Simon Mourier
Nov 13 at 21:10






To "logoff", you have to set an old expiration date, something like this: var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "NoCookie"); cookie.Expires = new DateTime(1999, 1, 1); context.Response.Cookies.Remove(FormsAuthentication.FormsCookieName); context.Response.Cookies.Add(cookie);
– Simon Mourier
Nov 13 at 21:10














1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










In FormsAuthentication.SignOut() there is a call the removes all of the previous cookies from the Response: context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)



Changing the order of everything seems to fix the issue:



private static void SignOut(HttpContextBase context)

{

    context.Session.Abandon();

    FormsAuthentication.SignOut();



    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);



    // clear cookies server side

    context.Request.Cookies.Clear();

}





share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53197387%2fformsauthentication-signout-not-working-after-changing-the-cookiedomain%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote



    accepted










    In FormsAuthentication.SignOut() there is a call the removes all of the previous cookies from the Response: context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)



    Changing the order of everything seems to fix the issue:



    private static void SignOut(HttpContextBase context)
    
{
    
    context.Session.Abandon();
    
    FormsAuthentication.SignOut();
    

    
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
    
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
    
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
    
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
    

    
    // clear cookies server side
    
    context.Request.Cookies.Clear();
    
}





    share|improve this answer

























      up vote
      2
      down vote



      accepted










      In FormsAuthentication.SignOut() there is a call the removes all of the previous cookies from the Response: context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)



      Changing the order of everything seems to fix the issue:



      private static void SignOut(HttpContextBase context)
      
{
      
    context.Session.Abandon();
      
    FormsAuthentication.SignOut();
      

      
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
      
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
      
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
      
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
      

      
    // clear cookies server side
      
    context.Request.Cookies.Clear();
      
}





      share|improve this answer























        up vote
        2
        down vote



        accepted







        up vote
        2
        down vote



        accepted






        In FormsAuthentication.SignOut() there is a call the removes all of the previous cookies from the Response: context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)



        Changing the order of everything seems to fix the issue:



        private static void SignOut(HttpContextBase context)
        
{
        
    context.Session.Abandon();
        
    FormsAuthentication.SignOut();
        

        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
        

        
    // clear cookies server side
        
    context.Request.Cookies.Clear();
        
}





        share|improve this answer












        In FormsAuthentication.SignOut() there is a call the removes all of the previous cookies from the Response: context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)



        Changing the order of everything seems to fix the issue:



        private static void SignOut(HttpContextBase context)
        
{
        
    context.Session.Abandon();
        
    FormsAuthentication.SignOut();
        

        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
        
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
        

        
    // clear cookies server side
        
    context.Request.Cookies.Clear();
        
}






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 16 at 15:23









        dochoffiday

        4,69762435




        4,69762435






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53197387%2fformsauthentication-signout-not-working-after-changing-the-cookiedomain%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            這個網誌中的熱門文章

            Academy of Television Arts & Sciences

            圖片
            American television organization Academy of Television Arts & Sciences Founded 1946 ; 73 years ago  ( 1946 ) Location North Hollywood, California, United States Area served Television industry Product Emmy Awards Key people Frank Scherma ( Chairman and CEO ) Website televisionacademy.com [redirects to emmys.com , official website of the Emmys and the Television Academy The Academy of Television Arts & Sciences ( ATAS ), also colloquially known as the Television Academy , is a professional honorary organization dedicated to the advancement of the television industry in the United States. Founded in 1946, the organization presents the Primetime Emmy Awards, an annual ceremony honoring achievement in U.S. primetime television. Contents 1 History 2 Emmy Award 3 Publications and programs 4 Current governance 4.1 Board of Governors 5 Television Academy honors 5.1 1st Annual (2008) 5.2 2nd Annual (2009)...
            閱讀完整內容

            L'Équipe

            圖片
            For other uses, see Équipe (disambiguation). L'Équipe The front page of L'Équipe on 4 July 2011 Type Daily newspaper Format Tabloid Owner(s) Éditions Philippe Amaury Editor François Morinière Editor-in-chief Fabrice Jouhaud Founded 1946 Language French Headquarters Boulogne-Billancourt ISSN 0153-1069 Website www.lequipe.fr L'Équipe ( pronounced  [lekip] , French for "the team") is a French nationwide daily newspaper devoted to sport, owned by Éditions Philippe Amaury. The paper is noted for coverage of association football , rugby, motorsport and cycling. Its predecessor was L'Auto , a general sports paper whose name reflected not any narrow interest but the excitement of the time in car racing. L'Auto originated the Tour de France cycling stage race in 1903 as a circulation booster. The race leader's yellow jersey (French: maillot jaune ) was instituted in 1919, probably to reflect the dist...
            閱讀完整內容

            1995 France bombings

            圖片
            This article is a rough translation from French . It may have been generated by a computer or by a translator without dual proficiency. Please help to enhance the translation. The original article is under "français" in the "languages" sidebar. See this article's entry on Pages needing translation into English for discussion. 1995 France bombings Part of Algerian Civil War (spillover) Plaque commemorating the victims of the Saint-Michel station bombing on 25 July 1995 Location Paris and Lyon, France Date 25 July 1995  ( 1995-07-25 ) – 17 October 1995  ( 1995-10-17 ) Weapons Improvised explosive devices, school bombing Deaths 8 Non-fatal injuries 157 Perpetrator Armed Islamic Group Motive To induce the French government to withdraw support from the Algerian government during the Algerian Civil War The 1995 bombings in France were carried out by the Armed Islamic Group (GIA), who were broadening the Alger...
            閱讀完整內容