FormsAuthentication SignOut does not log the user out

Question

Smashed my head against this a bit too long  How do I prevent a user from browsing a site s pages after they have been logged out using FormsAuthentication SignOut  I would expect this to do it   FormsAuthentication SignOut    Session Abandon    FormsAuthentication RedirectToLoginPage      But it doesn t  If I type in a URL directly  I can still browse to the page  I haven t used roll-your-own security in a while so I forget why this doesn t work

User · Answer

This started happening to me when I set the authentication   forms   Path property in Web config  Removing that fixed the problem  and a simple FormsAuthentication SignOut    again removed the cookie

User · Answer

Doing Session abandon   and destroying the cookie works pretty good  I m using mvc3 and it looks like the problem occurs if you go to a protected page  log out  and go via your browser history  Not a big deal but still kinda of annoying   Trying to go through links on my web app works the right way though   Setting it to not do browser caching may be the way to go

User · Answer

Doing Session abandon   and destroying the cookie works pretty good  I m using mvc3 and it looks like the problem occurs if you go to a protected page  log out  and go via your browser history  Not a big deal but still kinda of annoying   Trying to go through links on my web app works the right way though   Setting it to not do browser caching may be the way to go

User · Answer

Using two of the above postings by x64igor and Phil Haselden solved this   1  x64igor gave the example to do the Logout    You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout   public ActionResult LogOff         FormsAuthentication SignOut        Session Clear        This may not be needed -- but can t hurt     Session Abandon            Clear authentication cookie     HttpCookie rFormsCookie   new HttpCookie  FormsAuthentication FormsCookieName            rFormsCookie Expires   DateTime Now AddYears  -1        Response Cookies Add  rFormsCookie            Clear session cookie      HttpCookie rSessionCookie   new HttpCookie   ASP NET SessionId             rSessionCookie Expires   DateTime Now AddYears  -1        Response Cookies Add  rSessionCookie       2  Phil Haselden gave the example above of how to prevent caching after logout    You need to Invalidate the Cache on the Client Side via the Response          Invalidate the Cache on the Client Side     Response Cache SetCacheability  HttpCacheability NoCache        Response Cache SetNoStore            Redirect to the Home Page  that should be intercepted and redirected to the Login Page first      return RedirectToAction   Index    Home

User · Answer

The code you posted looks like it should correctly remove the forms authentication token  so it is possible that the folders pages in question are not actually protected   Have you confirmed that the pages cannot be accessed before a login has occured   Can you post the web config settings and login code that you are using

User · Answer

I ve tried most answers in this thread  no luck  Ended up with this   protected void btnLogout Click object sender  EventArgs e        FormsAuthentication Initialize        var fat   new FormsAuthenticationTicket 1      DateTime Now  DateTime Now AddMinutes -30   false  string Empty  FormsAuthentication FormsCookiePath       Response Cookies Add new HttpCookie FormsAuthentication FormsCookieName  FormsAuthentication Encrypt fat         FormsAuthentication RedirectToLoginPage        Found it here  http   forums asp net t 1306526 aspx 1

User · Answer

I wanted to add some information to help understand the problem   Forms Authentication allows for storing user data either in a cookie  or in the query string of the URL   The method your site supports can be configured in the web config file   According to Microsoft      The SignOut method removes the forms-authentication ticket information   from the cookie or the URL if CookiesSupported is false    At the same time  they say      One of the HttpCookieMode values that indicates whether the   application is configured for cookieless forms authentication  The   default is UseDeviceProfile    Lastly  regarding UseDeviceProfile  they say      If the CookieMode property is set to UseDeviceProfile  the   CookiesSupported property will return true if the Browser for the   current Request supports both cookies and redirecting with cookies    otherwise  the CookiesSupported property will return false    Piecing this all together  depending on the user s browser  the default configuration may result in CookiesSupported being true  which means the SignOut method doesn t clear the ticket from the cookie   This seems counter-intuitive and I don t know why it works this way -- I would expect SignOut to actually sign the user out under any circumstances   One way to make the SignOut work by itself is to change the cookie mode to  UseCookies   i e  cookies are required  in the web config file    lt authentication mode  Forms  gt     lt forms loginUrl    Account SignIn  cookieless  UseCookies   gt   lt  authentication gt    According to my tests  doing this makes SignOut work by itself at the cost of your site now requiring cookies to function properly

User · Answer

This works for me  public virtual ActionResult LogOff                 FormsAuthentication SignOut            foreach  var cookie in Request Cookies AllKeys                        Request Cookies Remove cookie                     foreach  var cookie in Response Cookies AllKeys                        Response Cookies Remove cookie                     return RedirectToAction MVC Home Index

User · Answer

Sounds to me like you don t have your web config authorization section set up properly within   See below for an example    lt authentication mode  Forms  gt     lt forms name  MyCookie  loginUrl  Login aspx  protection  All  timeout  90  slidingExpiration  true  gt  lt  forms gt   lt  authentication gt   lt authorization gt     lt deny users       gt   lt  authorization gt

User · Answer

Users can still browse your website because cookies are not cleared when you call FormsAuthentication SignOut   and they are authenticated on every new request  In MS documentation is says that cookie will be cleared but they don t  bug  Its exactly the same with Session Abandon    cookie is still there   You should change your code to this   FormsAuthentication SignOut    Session Abandon        clear authentication cookie HttpCookie cookie1   new HttpCookie FormsAuthentication FormsCookieName       cookie1 Expires   DateTime Now AddYears -1   Response Cookies Add cookie1       clear session cookie  not necessary for your current problem but i would recommend you do it anyway  SessionStateSection sessionStateSection    SessionStateSection WebConfigurationManager GetSection  system web sessionState    HttpCookie cookie2   new HttpCookie sessionStateSection CookieName       cookie2 Expires   DateTime Now AddYears -1   Response Cookies Add cookie2    FormsAuthentication RedirectToLoginPage      HttpCookie is in the System Web namespace  MSDN Reference

User · Answer

Using two of the above postings by x64igor and Phil Haselden solved this   1  x64igor gave the example to do the Logout    You first need to Clear the Authentication Cookie and Session Cookie by passing back empty cookies in the Response to the Logout   public ActionResult LogOff         FormsAuthentication SignOut        Session Clear        This may not be needed -- but can t hurt     Session Abandon            Clear authentication cookie     HttpCookie rFormsCookie   new HttpCookie  FormsAuthentication FormsCookieName            rFormsCookie Expires   DateTime Now AddYears  -1        Response Cookies Add  rFormsCookie            Clear session cookie      HttpCookie rSessionCookie   new HttpCookie   ASP NET SessionId             rSessionCookie Expires   DateTime Now AddYears  -1        Response Cookies Add  rSessionCookie       2  Phil Haselden gave the example above of how to prevent caching after logout    You need to Invalidate the Cache on the Client Side via the Response          Invalidate the Cache on the Client Side     Response Cache SetCacheability  HttpCacheability NoCache        Response Cache SetNoStore            Redirect to the Home Page  that should be intercepted and redirected to the Login Page first      return RedirectToAction   Index    Home

User · Answer

The code you posted looks like it should correctly remove the forms authentication token  so it is possible that the folders pages in question are not actually protected   Have you confirmed that the pages cannot be accessed before a login has occured   Can you post the web config settings and login code that you are using

User · Answer

Sounds to me like you don t have your web config authorization section set up properly within   See below for an example    lt authentication mode  Forms  gt     lt forms name  MyCookie  loginUrl  Login aspx  protection  All  timeout  90  slidingExpiration  true  gt  lt  forms gt   lt  authentication gt   lt authorization gt     lt deny users       gt   lt  authorization gt

User · Answer

This Answer is technically identical to Khosro Pakmanesh  I m posting it to clarify how his answer differs from other answers on this thread  and in which use case it can be used  In general to clear a user-session  doing HttpContext Session Abandon    FormsAuthentication SignOut     will effectively log out the user  However  if in the same Request you need to check Request isAuthenticated  as may often happen in an Authorization Filter  for example   then you will find that Request isAuthenticated    true  even  after you did HttpContext Session Abandon   and FormsAuthentication SignOut    The only thing that worked was doing AuthenticationManager SignOut    HttpContext User   new GenericPrincipal new GenericIdentity string Empty   null    That effectively sets Request isAuthenticated   false

User · Answer

This Answer is technically identical to Khosro Pakmanesh  I m posting it to clarify how his answer differs from other answers on this thread  and in which use case it can be used  In general to clear a user-session  doing HttpContext Session Abandon    FormsAuthentication SignOut     will effectively log out the user  However  if in the same Request you need to check Request isAuthenticated  as may often happen in an Authorization Filter  for example   then you will find that Request isAuthenticated    true  even  after you did HttpContext Session Abandon   and FormsAuthentication SignOut    The only thing that worked was doing AuthenticationManager SignOut    HttpContext User   new GenericPrincipal new GenericIdentity string Empty   null    That effectively sets Request isAuthenticated   false

User · Answer

After lots of search finally this worked for me   I hope it helps   public ActionResult LogOff         AuthenticationManager SignOut        HttpContext User   new GenericPrincipal new GenericIdentity string Empty   null       return RedirectToAction  Index    Home        lt li class  page-scroll  gt  Html ActionLink  Log off    LogOff    Account   lt  li gt

User · Answer

Be aware that WIF refuses to tell the browser to cleanup the cookies if the wsignoutcleanup message from STS doesn t match the url with the name of the application from IIS  and I mean CASE SENSITIVE  WIF responds with the green OK check  but will not send the command to delete cookies to browser   So  you need to pay attention to the case sensitivity of your url s   For example  ThinkTecture Identity Server saves the urls of the visiting RPs in one cookie  but it makes all of them lower case  WIF will receive the wsignoutcleanup message in lower case and will compare it with the application name in IIS  If it doesn t match  it deletes no cookies  but will report OK to the browser  So  for this Identity Server I needed to write all urls in web config and all application names in IIS in lower case  in order to avoid such problems   Also don t forget to allow third party cookies in the browser if you have the applications outside of the subdomain of STS  otherwise the browser will not delete the cookies even if WIF tells him so

User · Answer

The code you posted looks like it should correctly remove the forms authentication token  so it is possible that the folders pages in question are not actually protected   Have you confirmed that the pages cannot be accessed before a login has occured   Can you post the web config settings and login code that you are using

User · Answer

Are you testing seeing this behaviour using IE  It s possible that IE is serving up those pages from the cache  It is notoriously hard to get IE to flush it s cache  and so on many occasions  even after you log out  typing the url of one of the  secured  pages would show the cached content from before    I ve seen this behaviour even when you log as a different user  and IE shows the  Welcome   bar at the top of your page  with the old user s username  Nowadays  usually a reload will update it  but if it s persistant  it could still be a caching issue

User · Answer

I just tried some of the suggestions here and while I was able to use the browser back button  when I clicked on a menu selection the  Authorize  token for that  ActionResult  sent me right back to the login screen   Here is my logout code           FormsAuthentication SignOut            Response Cookies Remove FormsAuthentication FormsCookieName           Response Cache SetExpires DateTime Now AddSeconds -1            HttpCookie cookie   HttpContext Request Cookies FormsAuthentication FormsCookieName           if  cookie    null                        cookie Expires   DateTime Now AddDays -1               Response Cookies Add cookie               Although the back function on the browser took me back and displayed the secured menu  I am still working on that  I was not able to do anything that was secured in the app   Hope this helps

User · Answer

I have been writing a base class for all of my Pages and I came to the same issue  I had code like the following and It didn t work  By tracing  control passes from RedirectToLoginPage   statement to the next line without to be redirected   if   requiresAuthentication        if   User Identity IsAuthenticated          FormsAuthentication RedirectToLoginPage            check authorization for restricted pages only     if   isRestrictedPage  AuthorizePageAndButtons        I found out that there are two solutions  Either to modify FormsAuthentication RedirectToLoginPage    to be   if   User Identity IsAuthenticated      Response Redirect FormsAuthentication LoginUrl     OR to modify the web config by adding   lt authorization gt     lt deny users       gt   lt  authorization gt    In the second case  while tracing  control didn t reach the requested page  It has been redirected immediately to the login url before hitting the break point  Hence  The SignOut   method isn t the issue  the redirect method is the one   I hope that may help someone  Regards

User · Answer

Just try to send a session variable when you press log in  And on the welcome page  first check whether that session is empty like this in the page load or in the Init Event   if Session  UserID      null    Session  UserID                Response Redirect  Login aspx

User · Answer

Are you testing seeing this behaviour using IE  It s possible that IE is serving up those pages from the cache  It is notoriously hard to get IE to flush it s cache  and so on many occasions  even after you log out  typing the url of one of the  secured  pages would show the cached content from before    I ve seen this behaviour even when you log as a different user  and IE shows the  Welcome   bar at the top of your page  with the old user s username  Nowadays  usually a reload will update it  but if it s persistant  it could still be a caching issue

User · Answer

It could be that you are logging in from one subdomain  sub1 domain com  and then trying to logout from a different subdomain  www domain com

User · Answer

The code you posted looks like it should correctly remove the forms authentication token  so it is possible that the folders pages in question are not actually protected   Have you confirmed that the pages cannot be accessed before a login has occured   Can you post the web config settings and login code that you are using

User · Answer

I just tried some of the suggestions here and while I was able to use the browser back button  when I clicked on a menu selection the  Authorize  token for that  ActionResult  sent me right back to the login screen   Here is my logout code           FormsAuthentication SignOut            Response Cookies Remove FormsAuthentication FormsCookieName           Response Cache SetExpires DateTime Now AddSeconds -1            HttpCookie cookie   HttpContext Request Cookies FormsAuthentication FormsCookieName           if  cookie    null                        cookie Expires   DateTime Now AddDays -1               Response Cookies Add cookie               Although the back function on the browser took me back and displayed the secured menu  I am still working on that  I was not able to do anything that was secured in the app   Hope this helps

User · Answer

Be aware that WIF refuses to tell the browser to cleanup the cookies if the wsignoutcleanup message from STS doesn t match the url with the name of the application from IIS  and I mean CASE SENSITIVE  WIF responds with the green OK check  but will not send the command to delete cookies to browser   So  you need to pay attention to the case sensitivity of your url s   For example  ThinkTecture Identity Server saves the urls of the visiting RPs in one cookie  but it makes all of them lower case  WIF will receive the wsignoutcleanup message in lower case and will compare it with the application name in IIS  If it doesn t match  it deletes no cookies  but will report OK to the browser  So  for this Identity Server I needed to write all urls in web config and all application names in IIS in lower case  in order to avoid such problems   Also don t forget to allow third party cookies in the browser if you have the applications outside of the subdomain of STS  otherwise the browser will not delete the cookies even if WIF tells him so

User · Answer

The key here is that you say  If I type in a URL directly       By default under forms authentication the browser caches pages for the user  So  selecting a URL directly from the browsers address box dropdown  or typing it in  MAY get the page from the browser s cache  and never go back to the server to check authentication authorization  The solution to this is to prevent client-side caching in the Page Load event of each page  or in the OnLoad   of your base page   Response Cache SetCacheability HttpCacheability NoCache     You might also like to call   Response Cache SetNoStore

User · Answer

I have been writing a base class for all of my Pages and I came to the same issue  I had code like the following and It didn t work  By tracing  control passes from RedirectToLoginPage   statement to the next line without to be redirected   if   requiresAuthentication        if   User Identity IsAuthenticated          FormsAuthentication RedirectToLoginPage            check authorization for restricted pages only     if   isRestrictedPage  AuthorizePageAndButtons        I found out that there are two solutions  Either to modify FormsAuthentication RedirectToLoginPage    to be   if   User Identity IsAuthenticated      Response Redirect FormsAuthentication LoginUrl     OR to modify the web config by adding   lt authorization gt     lt deny users       gt   lt  authorization gt    In the second case  while tracing  control didn t reach the requested page  It has been redirected immediately to the login url before hitting the break point  Hence  The SignOut   method isn t the issue  the redirect method is the one   I hope that may help someone  Regards

User · Answer

I ve tried most answers in this thread  no luck  Ended up with this   protected void btnLogout Click object sender  EventArgs e        FormsAuthentication Initialize        var fat   new FormsAuthenticationTicket 1      DateTime Now  DateTime Now AddMinutes -30   false  string Empty  FormsAuthentication FormsCookiePath       Response Cookies Add new HttpCookie FormsAuthentication FormsCookieName  FormsAuthentication Encrypt fat         FormsAuthentication RedirectToLoginPage        Found it here  http   forums asp net t 1306526 aspx 1

User · Answer

I am having a similar issue now and I believe the problem in my case as well as the original poster is because of the redirect   By default a Response Redirect causes an exception which immediately bubbles up until it is caught and the redirect is immediately executed  I am guessing that this is preventing the modified cookie collection from being passed down to the client   If you modify your code to use   Response Redirect  url   false     This prevents the exception and seems to allow the cookie to be properly sent back to the client

User · Answer

I just had the same problem  where SignOut   seemingly failed to properly remove the ticket  But only in a specific case  where some other logic caused a redirect  After I removed this second redirect  replaced it with an error message   the problem went away   The problem must have been that the page redirected at the wrong time  hence not triggering authentication

User · Answer

This started happening to me when I set the authentication   forms   Path property in Web config  Removing that fixed the problem  and a simple FormsAuthentication SignOut    again removed the cookie

User · Answer

The key here is that you say  If I type in a URL directly       By default under forms authentication the browser caches pages for the user  So  selecting a URL directly from the browsers address box dropdown  or typing it in  MAY get the page from the browser s cache  and never go back to the server to check authentication authorization  The solution to this is to prevent client-side caching in the Page Load event of each page  or in the OnLoad   of your base page   Response Cache SetCacheability HttpCacheability NoCache     You might also like to call   Response Cache SetNoStore

User · Answer

For MVC this works for me           public ActionResult LogOff                         FormsAuthentication SignOut                return Redirect FormsAuthentication GetRedirectUrl User Identity Name  true

User · Answer

I am having a similar issue now and I believe the problem in my case as well as the original poster is because of the redirect   By default a Response Redirect causes an exception which immediately bubbles up until it is caught and the redirect is immediately executed  I am guessing that this is preventing the modified cookie collection from being passed down to the client   If you modify your code to use   Response Redirect  url   false     This prevents the exception and seems to allow the cookie to be properly sent back to the client

User · Answer

After lots of search finally this worked for me   I hope it helps   public ActionResult LogOff         AuthenticationManager SignOut        HttpContext User   new GenericPrincipal new GenericIdentity string Empty   null       return RedirectToAction  Index    Home        lt li class  page-scroll  gt  Html ActionLink  Log off    LogOff    Account   lt  li gt

User · Answer

This works for me  public virtual ActionResult LogOff                 FormsAuthentication SignOut            foreach  var cookie in Request Cookies AllKeys                        Request Cookies Remove cookie                     foreach  var cookie in Response Cookies AllKeys                        Response Cookies Remove cookie                     return RedirectToAction MVC Home Index

User · Answer

Users can still browse your website because cookies are not cleared when you call FormsAuthentication SignOut   and they are authenticated on every new request  In MS documentation is says that cookie will be cleared but they don t  bug  Its exactly the same with Session Abandon    cookie is still there   You should change your code to this   FormsAuthentication SignOut    Session Abandon        clear authentication cookie HttpCookie cookie1   new HttpCookie FormsAuthentication FormsCookieName       cookie1 Expires   DateTime Now AddYears -1   Response Cookies Add cookie1       clear session cookie  not necessary for your current problem but i would recommend you do it anyway  SessionStateSection sessionStateSection    SessionStateSection WebConfigurationManager GetSection  system web sessionState    HttpCookie cookie2   new HttpCookie sessionStateSection CookieName       cookie2 Expires   DateTime Now AddYears -1   Response Cookies Add cookie2    FormsAuthentication RedirectToLoginPage      HttpCookie is in the System Web namespace  MSDN Reference

User · Answer

Are you testing seeing this behaviour using IE  It s possible that IE is serving up those pages from the cache  It is notoriously hard to get IE to flush it s cache  and so on many occasions  even after you log out  typing the url of one of the  secured  pages would show the cached content from before    I ve seen this behaviour even when you log as a different user  and IE shows the  Welcome   bar at the top of your page  with the old user s username  Nowadays  usually a reload will update it  but if it s persistant  it could still be a caching issue

User · Answer

For me  the following approach works  I think if there is any error after the  FormsAuthentication SignOut    statement  SingOut doesn t work   public ActionResult SignOut                 if  Request IsAuthenticated                        FormsAuthentication SignOut                 return Redirect                          return View

User · Answer

Just try to send a session variable when you press log in  And on the welcome page  first check whether that session is empty like this in the page load or in the Init Event   if Session  UserID      null    Session  UserID                Response Redirect  Login aspx

User · Answer

It could be that you are logging in from one subdomain  sub1 domain com  and then trying to logout from a different subdomain  www domain com

User · Answer

For me  the following approach works  I think if there is any error after the  FormsAuthentication SignOut    statement  SingOut doesn t work   public ActionResult SignOut                 if  Request IsAuthenticated                        FormsAuthentication SignOut                 return Redirect                          return View

User · Answer

For MVC this works for me           public ActionResult LogOff                         FormsAuthentication SignOut                return Redirect FormsAuthentication GetRedirectUrl User Identity Name  true

User · Answer

I just had the same problem  where SignOut   seemingly failed to properly remove the ticket  But only in a specific case  where some other logic caused a redirect  After I removed this second redirect  replaced it with an error message   the problem went away   The problem must have been that the page redirected at the wrong time  hence not triggering authentication

User · Answer

Sounds to me like you don t have your web config authorization section set up properly within   See below for an example    lt authentication mode  Forms  gt     lt forms name  MyCookie  loginUrl  Login aspx  protection  All  timeout  90  slidingExpiration  true  gt  lt  forms gt   lt  authentication gt   lt authorization gt     lt deny users       gt   lt  authorization gt

User · Answer

Sounds to me like you don t have your web config authorization section set up properly within   See below for an example    lt authentication mode  Forms  gt     lt forms name  MyCookie  loginUrl  Login aspx  protection  All  timeout  90  slidingExpiration  true  gt  lt  forms gt   lt  authentication gt   lt authorization gt     lt deny users       gt   lt  authorization gt

User · Answer

I ve struggled with this before too   Here s an analogy for what seems to be going on    A new visitor  Joe  comes to the site and logs in via the login page using FormsAuthentication  ASP NET generates a new identity for Joe  and gives him a cookie  That cookie is like the key to the house  and as long as Joe returns with that key  he can open the lock  Each visitor is given a new key and a new lock to use   When FormsAuthentication SignOut   is called  the system tells Joe to lose the key  Normally  this works  since Joe no longer has the key  he cannot get in   However  if Joe ever comes back  and does have that lost key  he is let back in   From what I can tell  there is no way to tell ASP NET to change the lock on the door   The way I can live with this is to remember Joe s name in a Session variable  When he logs out  I abandon the Session so I don t have his name anymore  Later  to check if he is allowed in  I simply compare his Identity Name to what the current session has  and if they don t match  he is not a valid visitor   In short  for a web site  do NOT rely on User Identity IsAuthenticated without also checking your Session variables

User · Answer

I ve struggled with this before too   Here s an analogy for what seems to be going on    A new visitor  Joe  comes to the site and logs in via the login page using FormsAuthentication  ASP NET generates a new identity for Joe  and gives him a cookie  That cookie is like the key to the house  and as long as Joe returns with that key  he can open the lock  Each visitor is given a new key and a new lock to use   When FormsAuthentication SignOut   is called  the system tells Joe to lose the key  Normally  this works  since Joe no longer has the key  he cannot get in   However  if Joe ever comes back  and does have that lost key  he is let back in   From what I can tell  there is no way to tell ASP NET to change the lock on the door   The way I can live with this is to remember Joe s name in a Session variable  When he logs out  I abandon the Session so I don t have his name anymore  Later  to check if he is allowed in  I simply compare his Identity Name to what the current session has  and if they don t match  he is not a valid visitor   In short  for a web site  do NOT rely on User Identity IsAuthenticated without also checking your Session variables

User · Answer

I wanted to add some information to help understand the problem   Forms Authentication allows for storing user data either in a cookie  or in the query string of the URL   The method your site supports can be configured in the web config file   According to Microsoft      The SignOut method removes the forms-authentication ticket information   from the cookie or the URL if CookiesSupported is false    At the same time  they say      One of the HttpCookieMode values that indicates whether the   application is configured for cookieless forms authentication  The   default is UseDeviceProfile    Lastly  regarding UseDeviceProfile  they say      If the CookieMode property is set to UseDeviceProfile  the   CookiesSupported property will return true if the Browser for the   current Request supports both cookies and redirecting with cookies    otherwise  the CookiesSupported property will return false    Piecing this all together  depending on the user s browser  the default configuration may result in CookiesSupported being true  which means the SignOut method doesn t clear the ticket from the cookie   This seems counter-intuitive and I don t know why it works this way -- I would expect SignOut to actually sign the user out under any circumstances   One way to make the SignOut work by itself is to change the cookie mode to  UseCookies   i e  cookies are required  in the web config file    lt authentication mode  Forms  gt     lt forms loginUrl    Account SignIn  cookieless  UseCookies   gt   lt  authentication gt    According to my tests  doing this makes SignOut work by itself at the cost of your site now requiring cookies to function properly

User · Answer

Are you testing seeing this behaviour using IE  It s possible that IE is serving up those pages from the cache  It is notoriously hard to get IE to flush it s cache  and so on many occasions  even after you log out  typing the url of one of the  secured  pages would show the cached content from before    I ve seen this behaviour even when you log as a different user  and IE shows the  Welcome   bar at the top of your page  with the old user s username  Nowadays  usually a reload will update it  but if it s persistant  it could still be a caching issue

[asp.net] FormsAuthentication.SignOut() does not log the user out

Examples related to asp.net

Examples related to forms-authentication