FormsAuthentication.SignOut() 不会将用户注销 [英] FormsAuthentication.SignOut() does not log the user out

问题描述

把我的头砸得太久了.如何防止用户在使用 FormsAuthentication.SignOut 注销后浏览站点页面?我希望这样做:

Smashed my head against this a bit too long. How do I prevent a user from browsing a site's pages after they have been logged out using FormsAuthentication.SignOut? I would expect this to do it:

FormsAuthentication.SignOut();
Session.Abandon();
FormsAuthentication.RedirectToLoginPage();

但事实并非如此.如果我直接输入 URL，我仍然可以浏览到该页面.我有一段时间没有使用自己的安全性，所以我忘记了为什么这不起作用.

But it doesn't. If I type in a URL directly, I can still browse to the page. I haven't used roll-your-own security in a while so I forget why this doesn't work.

推荐答案

用户仍然可以浏览您的网站，因为当您调用 FormsAuthentication.SignOut() 时 cookie 不会被清除，并且它们在每个新的要求.在 MS 文档中说 cookie 将被清除，但他们不会，错误?和Session.Abandon()完全一样，cookie还在.

Users can still browse your website because cookies are not cleared when you call FormsAuthentication.SignOut() and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don't, bug? Its exactly the same with Session.Abandon(), cookie is still there.

您应该将代码更改为:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
SessionStateSection sessionStateSection = (SessionStateSection)WebConfigurationManager.GetSection("system.web/sessionState");
HttpCookie cookie2 = new HttpCookie(sessionStateSection.CookieName, "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

HttpCookie 位于 System.Web 命名空间中.MSDN 参考.

HttpCookie is in the System.Web namespace. MSDN Reference.

这篇关于FormsAuthentication.SignOut() 不会将用户注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！