Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Expire Forms Authentication Ticket on Server Side

Reply
Thread Tools

Expire Forms Authentication Ticket on Server Side

 
 
ray
Guest
Posts: n/a
 
      08-04-2005
I am using the following code to log users out,

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Login.aspx")

The signout method is removing the forms authentication cookie from the
response headers that are sent back to the browser so the user is
forced to login again. However, my security group was able to take a
copy of the cookie and send it in a request to our server and was able
to gain entry up until the forms authentication ticket times out on its
own.

Is there any way to programatically expire the forms authentication
ticket on the server side? Or is there some configuration needed to
make sure this is done when the user is logged out? Any help is
appreciated.

 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      08-04-2005
Hello ray,

i am afraid, no, this is not possible.

FormsAuth has no special logic on the server to "remember" a user, otherwise
it would not be scalable. As long as the FormsAuthModule can decrypt the
cookie, and it is in its validity time, the request is authentic.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am using the following code to log users out,
>
> FormsAuthetication.SignOut()
> Session.Abandon()
> Response.Redirect("Login.aspx")
> The signout method is removing the forms authentication cookie from
> the response headers that are sent back to the browser so the user is
> forced to login again. However, my security group was able to take a
> copy of the cookie and send it in a request to our server and was able
> to gain entry up until the forms authentication ticket times out on
> its own.
>
> Is there any way to programatically expire the forms authentication
> ticket on the server side? Or is there some configuration needed to
> make sure this is done when the user is logged out? Any help is
> appreciated.
>




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cookies expire immediately, not when set to expire Tongass Park Neighborhood Association, Juneau Alaska ASP General 2 11-24-2009 08:24 PM
Forms Authentication Ticket Functionality With Windows Authentication jfer ASP .Net Security 3 09-16-2005 06:30 PM
How to Expire an Authenticatoin Ticket Manually Ali ASP .Net 7 01-29-2004 01:50 PM
How to Expire an Authenticatoin Ticket Manually Ali ASP .Net Mobile 0 01-28-2004 10:48 PM
Authentication ticket, cookieless, forms authentication? Lauchlan M ASP .Net Security 0 10-01-2003 12:23 AM



Advertisments