SingleSignOn (SSO) forms authentication logout

0
votes

I have on one server two websites running with asp.net 2.0 on IIS7.5, which are protected with forms authentication.

URL's are like:

 https://customerx.mydomain.com/site1/
 https://customerx.mydomain.com/site2/

Both websites are running the same web application but in different folders and are connected to different databases. The two sites are prepared for SSO (Single Sign On) The user opens the login page of site1 and authenticates with his credentials (forms authentication; Membership Provider). On the start page there is a hyperlink to site2 and on site2's start page is a link to site1. So the user can jump from one to the other site.

SSO was resolved with following web.config entries in both application (equal cookie name and machine key):

<authentication mode="Forms">
  <forms loginUrl="~/login.aspx" defaultUrl="~/default.aspx" 
         timeout="60" name=".customerxcookie" />
</authentication>
<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>
<machineKey validationKey="...myvalidationkey..." validation="SHA1" />

Each user has several user rights, to see more or less data on the sites. the user data with their user rights are equal on both site.

If I login as an admin on site1, then jump to site2 and so on and logout, I only logout from one site, so it is not possible to open one of the sites without login again. There is no problem. I'm using the LoginStatus control for logout:

protected void LoginStatus1_LoggedOut( object sender, EventArgs e )
{
    FormsAuthentication.SignOut();
    Session.Abandon();
}

Now the problem: If I login with a user credential which has less rights on site1 AFTER admin logout: on site1 it's ok, but when I jump to site2 it shows me the user name as expected but he has all the rights from the admin and can see all the stuff which is not allowed through his user rights.

I found out that there are two cookies (firefox):

customerx.mydomain.com      customerxcookie
customerx.mydomain.com      .ASPXANONYMOUS

If I remove the cookie customerxcookie the next login is working fine. But I need to do it each time when I change the user.

Any suggestions?

1
asp.netcookiesforms-authenticationsingle-sign-onmembership-provider

1 Answers

1
votes

If the presence of the cookie is the problem, how about getting all the cookies and manually expiring them on Logout:

string[] myCookies = Request.Cookies.AllKeys;
foreach (string cookie in myCookies)
{
  Response.Cookies[cookie].Expires = DateTime.Now.AddDays(-1);
}