I've got a custom asp.net 2 login authentication creating a generic principal object and working great except that I can't get the logout to truly abandon/clear. For most of the site, I'm using one master page, but for the secure area, I'm using another master page. The secure master page uses menus, with the logout being a menu item redirect to another page (login.aspx?id=logout) with request parameters to fire. When I click logout, it does indeed take me back to the login page. But, if I manually type in the page where I've just been, it lets me through without a login. I've tried researching the problem and implementing suggestions to others, but nothing has worked. Any help GREATLY appreciated.
webConfig:
<authorization><allow users="*"/></authorization>
<trust level="Full" originUrl=""/>
<authentication mode="Forms">
<forms loginUrl="calendar/login.aspx" protection="All" timeout="60" name=".myCookie" path="calendar/" requireSSL="false" slidingExpiration="true" defaultUrl="calendar/default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false"/>
</authentication>
global.asax
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
If HttpContext.Current.User IsNot Nothing Then
If HttpContext.Current.User.Identity.IsAuthenticated Then
If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
' Get Forms Identity From Current User
Dim id As FormsIdentity = DirectCast(HttpContext.Current.User.Identity, FormsIdentity)
' Get Forms Ticket From Identity object
Dim ticket As FormsAuthenticationTicket = id.Ticket
' userdata string was retrieved from stored user-data
Dim userData As String = ticket.UserData
Dim roles As String() = userData.Split(","c)
' Create a new Generic Principal Instance and assign to Current User
System.Web.HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles)
End If
End If
Else
System.Web.HttpContext.Current.User = Nothing
End If
End Sub
login.aspx
Function myAuth(ByVal mySql As String) As Boolean
'Response.Write(mySql)
FormsAuthentication.Initialize() ' Initialize FormsAuthentication
' Create connection and command objects , contactRole
Dim strConn As String = ConfigurationManager.ConnectionStrings("strConn").ConnectionString
Dim cn As New Data.SqlClient.SqlConnection(strConn)
Dim cmd As Data.SqlClient.SqlCommand
cmd = New Data.SqlClient.SqlCommand(mySql, cn)
cmd.Connection.Open()
Dim reader As Data.SqlClient.SqlDataReader = cmd.ExecuteReader()
Dim returnUrl As String, myReset As Boolean = False
If reader.Read() Then
Dim ticket As New FormsAuthenticationTicket(1, reader(0).ToString, DateTime.Now, DateTime.Now.AddMinutes(30), False, reader.GetString(1), FormsAuthentication.FormsCookiePath)
Dim hash As String = FormsAuthentication.Encrypt(ticket)
Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)
cookie.Expires = ticket.Expiration
Response.Cookies.Add(cookie)
lblPid.Text = reader(0).ToString
System.Web.HttpContext.Current.Session("UserNbr") = reader(0).ToString
returnUrl = Request.QueryString("ReturnUrl")
myReset = reader(2)
If myReset = True Then returnUrl = "~/secure/myAccount.aspx?upd=3&em=" & lblPid.Text
If returnUrl Is Nothing Then
returnUrl = "/calendar/secure/myAccount.aspx"
End If
' Don't call the FormsAuthentication.RedirectFromLoginPage here, it could replace the custom authentication
Response.Redirect(returnUrl)
Else
lblPid.Text = "0"
System.Web.HttpContext.Current.Session("UserNbr") = "0"
Response.Cookies.Clear()
System.Web.Security.FormsAuthentication.SignOut()
Session.Abandon()
Session.Clear()
End If
reader.Close()
cn.Close()
cmd.Dispose()
End Function
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache)
If Not Page.IsPostBack Then
If Request("id") = "logout" Then
lblPid.Text = "0"
System.Web.HttpContext.Current.Session("UserNbr") = "0"
Response.Cookies.Clear()
Response.Clear()
System.Web.Security.FormsAuthentication.SignOut()
Session.Abandon()
Session.Clear()
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetExpires(DateTime.Now)
txtUsername.Focus()
Else
If System.Web.HttpContext.Current.User Is Nothing Then
System.Web.HttpContext.Current.Session("UserNbr") = "0"
Response.Cookies.Clear()
Response.Clear()
System.Web.Security.FormsAuthentication.SignOut()
Session.Abandon()
Session.Clear()
txtUsername.Focus()
Else
Dim returnUrl As String = String.Empty
returnUrl = Request.QueryString("ReturnUrl")
If returnUrl Is Nothing Then
returnUrl = "~/calendar/secure/myAccount.aspx"
End If
End If
End If
End If
End Sub
secure master page:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetExpires(DateTime.Now)
End Sub
individual secure area page:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetExpires(DateTime.Now)
End Sub
No one has replied yet! Why not be the first?
Sign in or Join us (it's free).