FormsAuthentication.SignOut Not Working With Custom-Domain Cookie

9
votes

Title should say it all.

Here's the code to set the cookie:

// snip - some other code to create custom ticket
var httpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encodedTicket);
httpCookie.Domain = "mysite.com";
httpContextBase.Response.Cookies.Add(httpCookie);

Here's my code to signout of my website:

FormsAuthentication.SignOut();

Environment:

  • ASP.NET MVC 3 Web Application

  • IIS Express

  • Visual Studio 2010

  • Custom domain: "http://localhost.www.mysite.com"

So when i try and log-off, the cookie is still there. If i get rid of the httpCookie.Domain line (e.g default to null), it works fine.

Other weird thing i noticed is that when i set the domain, Chrome doesn't show my cookie in the Resources portion of developer tools, but when i dont set the domain, it does.

And secondly, when i actually create the cookie with the custom domain, on the next request when i read in the cookie from the request (to decrypt it), the cookie is there, but the domain is null?

I also tried creating another cookie with the same name and setting the expiry to yesterday. No dice.

What's going on? Can anyone help?

2
asp.netasp.net-mvccookiesdnsforms-authentication
Is it possible for you to specify the domain attribute on the forms element in your web.config? The SignOut method will use this to set the right cookie.vcsjones
@vcsjones - yeah, i can't. Because my application serves seperate TLD's, e.g www.mysite.com and someothersite.foo.com. So i need to extract the domain dynamically from the request. I'll try that temporarily and see if that fixes it. (even though it's not a solution, but just for curiousity)RPM1984
It is extremely dangerous to not use HTTP Only for an authentication token.Chris Marisic
@Chris - true, i've made it httponly now.RPM1984

2 Answers

4
votes

I believe if you set the domain attribute on the forms element in you web.config, to the same as the one in your custom cookie, it should work. (EDIT: that approach won't work because the SignOut method on FormsAuthentication sets other flags on the cookie that you are not, like HttpOnly) The SignOut method basically just sets the cookie's expiration date to 1999, and it needs the domain to set the right cookie.

If you can't hardcode the domain, you can roll your own sign out method:

private static void SignOut()
{
    var myCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
    myCookie.Domain = "mysite.com";
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    HttpContext.Current.Response.Cookies.Add(myCookie);
}

An authentication cookie is just a plain cookie; so you would remove it the same way you would any other cookie: expire it and make it invalid.

0
votes

I had a similar problem. In my case, I was storing some userData in the AuthCookie and experienced the same effects as described above, and upon authentication at each request, reading the cookie and putting the userData in a static variable. It turned out in my case that the data was being persisted in the application. To get around it, I had to first clear my static variable, and then expire the cookie. I used the following in the LogOff method of my AccountController:

AuthCookie.Clear(); //STATIC CLASS holding my userdata implemented by me.
Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddYears(-1);
Response.Cookies[FormsAuthentication.FormsCookieName].Value = null;
return RedirectToAction("Index", "Home");

Hope this helps.

UPDATE

On a hunch after submitting, I replaced the middle two lines with:

FormsAuthentication.SignOut();

... and it worked fine where it didn't before.

Note:

AuthCookie.Clear();

... does not touch the AuthCookie, it just resets the static class I wrote to default values.

Again, hope this helps.