logout not abandoning session

asp.net , mysql United States
  • 13 years ago

    I've got a custom asp.net 2 login authentication creating a generic principal object and working great except that I can't get the logout to truly abandon/clear.  For most of the site, I'm using one master page, but for the secure area, I'm using another master page.  The secure master page uses menus, with the logout being a menu item redirect to another page (login.aspx?id=logout) with request parameters to fire.  When I click logout, it does indeed take me back to the login page.  But, if I manually type in the page where I've just been, it lets me through without a login.  I've tried researching the problem and implementing suggestions to others, but nothing has worked.  Any help GREATLY appreciated.

    webConfig:
    <authorization><allow users="*"/></authorization>
    <trust level="Full" originUrl=""/>
    <authentication mode="Forms">
    <forms loginUrl="calendar/login.aspx" protection="All" timeout="60" name=".myCookie" path="calendar/" requireSSL="false" slidingExpiration="true" defaultUrl="calendar/default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
    </authentication>

    global.asax
        Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
            If HttpContext.Current.User IsNot Nothing Then
                If HttpContext.Current.User.Identity.IsAuthenticated Then
                    If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
                        ' Get Forms Identity From Current User
                        Dim id As FormsIdentity = DirectCast(HttpContext.Current.User.Identity, FormsIdentity)
                        ' Get Forms Ticket From Identity object
                        Dim ticket As FormsAuthenticationTicket = id.Ticket
                        ' userdata string was retrieved from stored user-data
                        Dim userData As String = ticket.UserData
                        Dim roles As String() = userData.Split(","c)
                        ' Create a new Generic Principal Instance and assign to Current User
                        System.Web.HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles)
                    End If
                End If
            Else
                System.Web.HttpContext.Current.User = Nothing
            End If
        End Sub

    login.aspx
        Function myAuth(ByVal mySql As String) As Boolean
            'Response.Write(mySql)
            FormsAuthentication.Initialize() ' Initialize FormsAuthentication
            ' Create connection and command objects , contactRole
            Dim strConn As String = ConfigurationManager.ConnectionStrings("strConn").ConnectionString
            Dim cn As New Data.SqlClient.SqlConnection(strConn)
            Dim cmd As Data.SqlClient.SqlCommand
            cmd = New Data.SqlClient.SqlCommand(mySql, cn)
            cmd.Connection.Open()
            Dim reader As Data.SqlClient.SqlDataReader = cmd.ExecuteReader()
            Dim returnUrl As String, myReset As Boolean = False
            If reader.Read() Then
                Dim ticket As New FormsAuthenticationTicket(1, reader(0).ToString, DateTime.Now, DateTime.Now.AddMinutes(30), False, reader.GetString(1), FormsAuthentication.FormsCookiePath)
                Dim hash As String = FormsAuthentication.Encrypt(ticket)
                Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)
                cookie.Expires = ticket.Expiration
                Response.Cookies.Add(cookie)
                lblPid.Text = reader(0).ToString
                System.Web.HttpContext.Current.Session("UserNbr") = reader(0).ToString
                returnUrl = Request.QueryString("ReturnUrl")
                myReset = reader(2)
                If myReset = True Then returnUrl = "~/secure/myAccount.aspx?upd=3&em=" & lblPid.Text
                If returnUrl Is Nothing Then
                    returnUrl = "/calendar/secure/myAccount.aspx"
                End If
                ' Don't call the FormsAuthentication.RedirectFromLoginPage here, it could replace the custom authentication
                Response.Redirect(returnUrl)
            Else
                lblPid.Text = "0"
                System.Web.HttpContext.Current.Session("UserNbr") = "0"
                Response.Cookies.Clear()
                System.Web.Security.FormsAuthentication.SignOut()
                Session.Abandon()
                Session.Clear()
            End If
            reader.Close()
            cn.Close()
            cmd.Dispose()
        End Function

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache)
            If Not Page.IsPostBack Then
                If Request("id") = "logout" Then
                    lblPid.Text = "0"
                    System.Web.HttpContext.Current.Session("UserNbr") = "0"
                    Response.Cookies.Clear()
                    Response.Clear()
                    System.Web.Security.FormsAuthentication.SignOut()
                    Session.Abandon()
                    Session.Clear()
                    Response.Cache.SetCacheability(HttpCacheability.NoCache)
                    Response.Cache.SetExpires(DateTime.Now)
                    txtUsername.Focus()
                Else
                    If System.Web.HttpContext.Current.User Is Nothing Then
                        System.Web.HttpContext.Current.Session("UserNbr") = "0"
                        Response.Cookies.Clear()
                        Response.Clear()
                        System.Web.Security.FormsAuthentication.SignOut()
                        Session.Abandon()
                        Session.Clear()
                        txtUsername.Focus()
                    Else
                        Dim returnUrl As String = String.Empty
                        returnUrl = Request.QueryString("ReturnUrl")
                        If returnUrl Is Nothing Then
                            returnUrl = "~/calendar/secure/myAccount.aspx"
                        End If
                    End If
                End If
            End If
        End Sub

    secure  master page:
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    Response.Cache.SetCacheability(HttpCacheability.NoCache)
    Response.Cache.SetExpires(DateTime.Now)
    End Sub

     individual secure area page:
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    Response.Cache.SetCacheability(HttpCacheability.NoCache)
    Response.Cache.SetExpires(DateTime.Now)
    End Sub

Post a reply

No one has replied yet! Why not be the first?

Sign in or Join us (it's free).

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil.” - Donald Knuth