Expire Forms Authentication Ticket on Server Side -- asp.net security

ray
8/3/2005 8:24:35 PM

I am using the following code to log users out,

FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Login.aspx")

The signout method is removing the forms authentication cookie from the
response headers that are sent back to the browser so the user is
forced to login again. However, my security group was able to take a
copy of the cookie and send it in a request to our server and was able
to gain entry up until the forms authentication ticket times out on its
own.

Is there any way to programatically expire the forms authentication
ticket on the server side? Or is there some configuration needed to
make sure this is done when the user is logged out? Any help is
appreciated.

Dominick Baier [DevelopMentor]
8/3/2005 10:45:40 PM

Hello ray,

i am afraid, no, this is not possible.

FormsAuth has no special logic on the server to "remember" a user, otherwise
it would not be scalable. As long as the FormsAuthModule can decrypt the
cookie, and it is in its validity time, the request is authentic.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

asp.net security : Expire Forms Authentication Ticket on Server Side