Can't Logout From root domain

Question

So I have an ASP.NET Web Forms Application with custom Forms Authentication. I basically just create a cookie that contains an encrypted user name and password and keep the session alive with that cookie. When a user logs out I add an expired cookie (cookie.Expires = Now) of the same name to the response. When I am on any actual page such as http://www.mydomain.com/default or http://www.mydomain.com/aboutus I have no problem logging out. BUT if the user happens to be on http://www.mydomain.com logout fails.

The cookie when an actual page contains the domain (www.mydomain.com) and the expired date. But when on www.mydomain.com that cookie contains no domain or expiration date.

Watching from Fiddler: Logging out from root domain (http://www.mydomain.com) Fiddler says:

This response did not set any cookies.

Even though fiddler inspector displays my cookie by name- Request sent 351 bytes of Cookie data:

ASP.NET_SessionId=tdohhekwzigkpuvqbphkzyxv; DEABE_ROBTFVAN=YYpYXpVjdkNEQwcPIhLrDkN4acbigcb9Ve9QusdfsdfdMCAYka981sdfsdfsdfXxl8eBXg==;

Logging out from any actual page (http://www.mydomain/aboutus) Response sent 62 bytes of Cookie data: Set-Cookie: DEABE_ROBTFVAN=; expires=Sun, 06-Oct-2013 20:14:42 GMT; path=/__utmb=142232619.22.10.1381088759; __utmc=142232619;

My request from root domain when clicking logout looks like: POST / HTTP/1.1 Host: www.mydomain.com Connection: keep-alive Content-Length: 682 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: http://www.mydomain.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.mydomain.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: ASP.NET_SessionId=0d2rmdy1w5wsiontcrml12yw; DEABE_ROBTFVAN=YYpYXpVjdkNEQwcPIhLrDkN4acbigasdasdasdcb9Ve9QuMCAYka981Xxl8eBXg==; __utma=142232619.1494664078.1381091188.1381091188.1381094343.2; __utmb=142232619.3.10.1381094343; __utmc=142232619; __utmz=142232619.1381094343.2.2.utmcsr=mydomain.com|utmccn=(referral)|utmcmd=referral|utmcct=

My request when logging out from www.mydomain.com/about: POST /About HTTP/1.1 Host: www.mydomain.com Connection: keep-alive Content-Length: 402 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Origin: http://www.mydomain.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.mydomain.com/About Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: ASP.NET_SessionId=0d2rmdy1w5wsiontcrml12yw; DEABE_ROBTFVAN=YYpYXpVjdkNEQwcPIhLrDkN4acbigcb9Ve9QuMCAYka981Xxl8eBXg==; __utma=142232619.1494664078.1381091188.1381091188.1381094343.2; __utmb=142232619.5.10.1381094343; __utmc=142232619; __utmz=142232619.1381094343.2.2.utmcsr=kazork.com|utmccn=(referral)|utmcmd=referral|utmcct=/admin/user/UserSearch.aspx

my code:

 Public Sub Logout()

        GlobalFunctions.AddCookieToResponse(Nothing, Nothing, True)

        HttpContext.Current.Session("AP_CurrentUser") = Nothing
        HttpContext.Current.Session.Abandon()

    End Sub

Public Shared Sub AddCookieToResponse(userName As String, password As String, Optional expireNow As Boolean = False)

    '====================================================================
    'Create top level domain cookie
    '====================================================================
    'Domain not being used currently, wanted to eliminate .mydomain I was seeing in the cookie
    Dim domain As String = GetDomain()

    Dim cookie As New HttpCookie(GlobalFunctions.GetCookieName())

    'If GlobalFunctions.HasData(domain) Then
    '    cookie.Domain = domain
    'End If

    If GlobalFunctions.HasData(userName) And GlobalFunctions.HasData(password) Then
        cookie.Value = GlobalFunctions.Encrypt(userName & ":" & password)
    End If

    If expireNow Then
        cookie.Expires = Now
    Else
        cookie.Expires = DateTime.Now.AddDays(1)
    End If

    HttpContext.Current.Response.Cookies.Add(cookie)
    '====================================================================

End Sub

Public Shared Function GetCookieName() As String
    If GetCurrentWebsiteName() = Constants.WEBSITES.MyWebsite1 Then
        Return "DEABE_ROBTFVAN"
    Else
        Return "ABE_OPED_JDZRK"
    End If
End Function

Response Traffic When it Works: (THERE ARE TWO RESPONSES WITH SUCCESSFUL LOGOUT

HTTP/1.1 302 Found Cache-Control: private,600 Content-Type: text/html; charset=utf-8 Location: /Default Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: DEABE_ROBTFVAN=; expires=Wed, 23-Oct-2013 05:57:45 GMT; path=/ Set-Cookie: OAUTHDEABE_ROBTFVAN=; domain=www.mydomain.com; expires=Wed, 23-Oct-2013 05:57:45 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 23 Oct 2013 05:57:45 GMT Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/Default">here</a>.</h2>
</body></html>

Repsonse 2 with successful logout HTTP/1.1 200 OK Cache-Control: private,600 Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 23 Oct 2013 06:23:03 GMT Content-Length: 7710

��I�%&/m�{J�J��t��$ؐ@��iG#)�*��eVe]f@�흼��{��{��;�N'��?\fdl��J�ɞ!��?~|?"~��7N��O�

* FIDDLER: RawDisplay truncated at 128 characters. Right-click to disable truncation. *

Response Traffic When logout at root domain doesn't work:

HTTP/1.1 200 OK Cache-Control: private,600 Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 23 Oct 2013 06:12:25 GMT Content-Length: 8274

��I�%&/m�{J�J��t��$ؐ@��iG#)�*��eVe]f@�흼��{��{��;�N'��?\fdl��J�ɞ!��?~|?"~��7N��O�

* FIDDLER: RawDisplay truncated at 128 characters. Right-click to disable truncation. *

Can you post the HTTP response traffic that you get in the following two situations? (1) When you log out and it works, and (2) When you log out and it doesn't work. — John Wu
Added, well there is something definitely wrong. I use this code for two domains, one allows log out from the root domain but the domain being used in my question fails to log out at root domain, same code, just different cookie name for each domain. — Brian Ogden
And the two cookie names you see here, DEABE_ROBTFVAN and OAUTHDEABE_ROBTFVAN are for the same domain, the cookies kill a regular session or an OAuth session respectively, whether one exists or not. I don't have any response/request information included for my other domain that works for logout at the root domain using the same library and code, I am just mentioning that this code works fine for another website which almost makes me think it is a DNS issue of some strangeness. — Brian Ogden

Wiktor Zychla Wiktor Zychla · Accepted Answer · 2013-10-05T13:16:36

First, try to set the expiration to a date in the past

cookie.Expires = DateTime.Now.AddDays( -1 );

If this doesn't help, verify that you don't set Path when you issue the cookie.

If this still doesn't help, use an http debugger, like fiddler, to verify what happens - you seem not sure whether the cookie doesn't get to the browser or the browser doesn't accept it but one of the two can be easily eliminated when you see the traffic with the debugger.

Can't Logout From root domain

3 Answers