FormsAuthentication.SignOut() not working when manually creating a ticket?

18 Mar 2005 1:19 PM

Matthias S.

Hi there,

I've created an application which is using Forms-based authentification.
My Login-Button event handler looks somewhat like this:

// validate the input, etc...
// sUserName holds now the users name

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
nRoleID.ToString(),FormsAuthentication.FormsCookiePath);

// encrypt the ticket
string sEncTicket = FormsAuthentication.Encrypt(ticket);

// set the cookie
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
sEncTicket));

It seems to work ok. But if I later use FormsAuthentication.SignOut() in
order to remove the Ticket, the ticket does not get removed. Why is this?

Thanks in advance!

Matthias

18 Mar 2005 3:21 PM

Andy Fish

Show quote Hide quote

"Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
news:%23E$$G07KFHA.3336@TK2MSFTNGP10.phx.gbl...
> Hi there,
>
> I've created an application which is using Forms-based authentification.
> My Login-Button event handler looks somewhat like this:
>
> // validate the input, etc...
> // sUserName holds now the users name
>
> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
> 1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
> nRoleID.ToString(),FormsAuthentication.FormsCookiePath);
>
> // encrypt the ticket
> string sEncTicket = FormsAuthentication.Encrypt(ticket);
>
> // set the cookie
> Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
> sEncTicket));
>
> It seems to work ok. But if I later use FormsAuthentication.SignOut() in
> order to remove the Ticket, the ticket does not get removed. Why is this?
>

Have you tried it with FormsAuthentication.SetAuthCookie() instead. This is
what I use and it seems to work, but I am not quite sure how this differs
from the method you are using.

Show quoteHide quote

> Thanks in advance!
>
> Matthias

19 Mar 2005 11:24 AM

Matthias S.

Hi,

I can't use the SetAuthCookie, since I have to assign a specific role to
the user. But starting the authenticated session works fine, only ending
it seems problematically.

Matthias

Andy Fish wrote:
Show quoteHide quote

> "Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
> news:%23E$$G07KFHA.3336@TK2MSFTNGP10.phx.gbl...
>
>>Hi there,
>>
>>I've created an application which is using Forms-based authentification.
>>My Login-Button event handler looks somewhat like this:
>>
>>// validate the input, etc...
>>// sUserName holds now the users name
>>
>>FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
>> 1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
>>nRoleID.ToString(),FormsAuthentication.FormsCookiePath);
>>
>>// encrypt the ticket
>>string sEncTicket = FormsAuthentication.Encrypt(ticket);
>>
>>// set the cookie
>>Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName,
>>sEncTicket));
>>
>>It seems to work ok. But if I later use FormsAuthentication.SignOut() in
>>order to remove the Ticket, the ticket does not get removed. Why is this?
>>
>
>
> Have you tried it with FormsAuthentication.SetAuthCookie() instead. This is
> what I use and it seems to work, but I am not quite sure how this differs
> from the method you are using.
>
>
>>Thanks in advance!
>>
>>Matthias
>
>
>

14 Apr 2005 6:13 PM

pb.bergeron

I had the same problem and was able to finally get this working
recently by using this code:

      FormsAuthentication.SignOut()
      ' force Expiration of the cookie. this should "clear"
      ' the client-side data. the source of the issue ???
      Context.Response.Cookies.Item( _
         FormsAuthentication.FormsCookieName).Expires = Date.Now
      Response.Redirect("login.aspx")

If you try to use the .Remove method instead of setting the existing
Item's Expire date, the application will not work out as expected.
This must be because Context.Response.Cookies collection is server-side
and if you Remove the item from the collection, it is never returned
back to the client. If it's not returned back, it will not be removed
(on the client side). This is the role of the Expiration Date.

I am assuming the Expires to Now forces the cookie to be removed on the
client side immediately. Perhaps it is this little bit of data on the
client that is causing the problem. It actually makes sense to me, but
it would be nice if this was more apparent from the documentation.

Matthias S. wrote:
Show quoteHide quote

> Hi,
>
> I can't use the SetAuthCookie, since I have to assign a specific role
to
> the user. But starting the authenticated session works fine, only
ending
> it seems problematically.
>
> Matthias
>
> Andy Fish wrote:
> > "Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
> > news:%23E$$G07KFHA.3336@TK2MSFTNGP10.phx.gbl...
> >
> >>Hi there,
> >>
> >>I've created an application which is using Forms-based
authentification.
> >>My Login-Button event handler looks somewhat like this:
> >>
> >>// validate the input, etc...
> >>// sUserName holds now the users name
> >>
> >>FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
> >> 1, sUserName, DateTime.Now, DateTime.Now.AddMinutes(20),false,
> >>nRoleID.ToString(),FormsAuthentication.FormsCookiePath);
> >>
> >>// encrypt the ticket
> >>string sEncTicket = FormsAuthentication.Encrypt(ticket);
> >>
> >>// set the cookie
> >>Response.Cookies.Add(new

HttpCookie(FormsAuthentication.FormsCookieName,

> >>sEncTicket));
> >>
> >>It seems to work ok. But if I later use

FormsAuthentication.SignOut() in
Show quoteHide quote

> >>order to remove the Ticket, the ticket does not get removed. Why is
this?
> >>
> >
> >
> > Have you tried it with FormsAuthentication.SetAuthCookie() instead.
This is
> > what I use and it seems to work, but I am not quite sure how this
differs
> > from the method you are using.
> >
> >
> >>Thanks in advance!
> >>
> >>Matthias
> >
> >
> >