FormsAuthentication.SignOut()

Vote:
 

Hello guys,

as hinted by the header I need some possible help and/or input regarding FormsAuthentication.SignOut(). I have a custom log out button that works fine when using Chrome/FF, but when the customer is using IE11 it doesn't sign out the user.

However: the user get's signed out of EPiServer, but when I check user roles manually (after_ SignOut() ofc), Roles.IsUserInRole([ some groups]) still returns TRUE, and then the code logic fails since it should be returning FALSE (obviously).

Is there a IE quick fix for this? Clearing of certain cookies or what not? Or something I've missed?

BR
Patrik

#148516
May 16, 2016 14:24
Vote:
 

 Session.Abandon();
 FormsAuthentication.SignOut();
 Response.Redirect(FormsAuthentication.LoginUrl);

Should do it...don't forget the redirect...

I think I once looped through cookies collection before redirect and set an earlier expires date.

#148517
Edited, May 16, 2016 14:55
Vote:
 
<p>Thanks Daniel,</p> <p>thanks for the reply. Will try it asap. However,&nbsp;must the redirect be done against that specific URL? The user does not in my case wish to return to preset login screen.</p> <p>BR<br />Patrik</p>
#148542
May 17, 2016 7:28
Vote:
 

Nah...doesn't matter where on site you send them. Just need to redirect to be sure that everything is reset for current user. 

#148543
May 17, 2016 8:42
Vote:
 

Daniel, when I run the code the Session (or HttpContext.Current.Session) object is null. I'm running MVC obviously - any ideas on how to tackle that?

#148547
May 17, 2016 9:27
Vote:
 

Also, I've tried adding the following to web.config:

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
     ...
      <remove name="Session"/>
      <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
    </modules>
#148548
Edited, May 17, 2016 9:29
Vote:
 
<p>Skip the session abandon if you aren't using session...</p>
#148553
May 17, 2016 9:47
Vote:
 

Hi Daniel,

I'm trying to understand something similar.... 

My logout action looks like this:

        public virtual ActionResult Logout(string returnUrl)
        {

            // Log out user:
            ClearSessionValues();                       
            FormsAuthentication.SignOut();

            // Get anonymous logged-out user ID:

            var anonymousUserId = PrincipalInfo.CurrentPrincipal.GetContactId();   //doesn't work, still returns logged-in user ID

            // do some stuff.... etc.



            return Redirect(returnUrl);
        }

As you can see, I want to get a new anonymous user ID from PrincipalInfo.CurrentPrincipal.GetContactId() after logging the user out.  Is that possible?  It seems like my call to PrincipalInfo.CurrentPrincipal.GetContactId() still returns the logged-in ID.  Your comments above seem to indicate that I must redirect to another action first.  Is that right?

Thanks,

 - Ken

#152107
Aug 16, 2016 21:39
Vote:
 

Yes. If you don't redirect you will get some strange things like that. The current request still has authentication cookies etc. Redirecting will clear everything...

#152109
Aug 17, 2016 8:14
Vote:
 

is it cookieless?

if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
Response.Redirect(loginurl, false);
}
else
{
Response.Redirect(loginurl, false);
}

#152115
Aug 17, 2016 10:31
Vote:
 

@ K Khan -

We're using FormsAuthentication.CookieMode == HttpCookieMode.UseDeviceProfile - meaning it might/or might not use cookies depending on the browser settings.

Hmmmm, what would be the "correct" way to capture the anonymous user ID after every logout? 

We cannot predict where our logout action redirects to because it redirects to "whatever page the user was viewing when the clicked logout".  (so that could be ANY page).

Is there some event, or something, that I can tap into to reliably get that anonymous ID after a logout?

#152131
Aug 17, 2016 15:43
Vote:
 

https://msdn.microsoft.com/en-us/library/system.web.httprequest.anonymousid.aspx

/K

#152180
Aug 18, 2016 19:21
Vote:
 

According to Microsoft: The SignOut method removes the forms-authentication ticket information from the cookie or the URL if CookiesSupported is false.

#200380
Jan 10, 2019 8:06
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.