FormsAuthentication.SignOut（）不注销用户 [英] FormsAuthentication.SignOut() does not log the user out

问题描述

砸坏了我的头这太长了一点。我如何prevent从浏览网站的页面，他们一直在使用FormsAuthentication.SignOut注销后用户？我希望它可以做到这一点：

Smashed my head against this a bit too long. How do I prevent a user from browsing a site's pages after they have been logged out using FormsAuthentication.SignOut? I would expect this to do it:

FormsAuthentication.SignOut();
Session.Abandon();
FormsAuthentication.RedirectToLoginPage();

但事实并非如此。如果我在URL中直接键入，我仍可以浏览到该页面。我没有用滚你自己的安全性在一段时间让我忘记了为什么这是行不通的。

But it doesn't. If I type in a URL directly, I can still browse to the page. I haven't used roll-your-own security in a while so I forget why this doesn't work.

推荐答案

用户仍可以浏览您的网站，因为Cookie不被清除，当你调用FormsAuthentication.SignOut（）和他们在每次新的请求进行身份验证。在MS文档是说cookie将被清除，但他们不这样做，错误？
它正好与Session.Abandon（）一样，饼干仍然存在。

Users can still browse your website because cookies are not cleared when you call FormsAuthentication.SignOut() and they are authenticated on every new request. In MS documentation is says that cookie will be cleared but they don't, bug? Its exactly the same with Session.Abandon(), cookie is still there.

您应该更改code这样：

You should change your code to this:

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

的HttpCookie 是的System.Web 命名空间。 MSDN参考。

这篇关于FormsAuthentication.SignOut（）不注销用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！