Page.User.Identity.IsAuthenticated still true after FormsAuthentication.SignOut()

Question

I have a page that when you press 'log out' it will redirect to the login.aspx page which has a Page_Load method which calls FormsAuthentication.SignOut().

The master page displays the 'log out' link in the top right of the screen and it displays it on the condition that Page.User.Identity.IsAuthenticated is true. After stepping through the code however, this signout method doesn't automatically set IsAuthenticated to false which is quite annoying, any ideas?

My understanding is that you should check auth cookie presence, rather than this flag? — Sheen, Oct 29 '10 at 10:27
And how do I do this? I think the cookie still exists after FormsAuthentication.SignOut(). — lisburnite, Oct 29 '10 at 10:38
possible duplicate question http://stackoverflow.com/questions/412300/formsauthentication-signout-does-not-log-the-user-out — BrokenGlass, Oct 29 '10 at 12:50
Remember that: Authenticated = "System know who you are" Authorized = "System know what you are allowed to do". That said: LogOut = "Authorized to nothing" .... but "System still knows who you are" — Kasper Halvas Jensen, Apr 14 '16 at 11:15

score 107 · Accepted Answer · answered Apr 10 '13 at 14:21

107

Page.User.Identity.IsAuthenticated gets its value from Page.User (obviously) which is unfortunately read-only and is not updated when you call FormsAuthentication.SignOut().

Luckily Page.User pulls its value from Context.User which can be modified:

// HttpContext.Current.User.Identity.IsAuthenticated == true;

FormsAuthentication.SignOut();
HttpContext.Current.User =
    new GenericPrincipal(new GenericIdentity(string.Empty), null);

// now HttpContext.Current.User.Identity.IsAuthenticated == false
// and Page.User.Identity.IsAuthenticated == false

This is useful when you sign out the current user and wish to respond with the actual page without doing a redirect. You can check IsAuthenticated where you need it within the same page request.

answered Apr 10 '13 at 14:21

Mart

5,010
3
30
43

Slightly delayed answer but from memory I think this is similar to how the problem was resolved in the end! – lisburnite Apr 11 '13 at 15:18
14

Slightly delayed for you but I just had the same problem and found your excellent question without an appropriate answer. I hope it will help others. – Mart Apr 11 '13 at 17:27
1

this helped me! Thanks Mart! +1 :) – jomsk1e Jun 18 '13 at 11:19
helped me in 2013 too! :) – Mahmoud Moravej Jul 22 '13 at 11:32
8

Works perfect with MVC4, with a small change: `HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);` – Ferran Salguero Sep 17 '13 at 11:10
2

I also went for HttpContext.Current.User = null; Useful if you're checking for a null "User". – Bern Jan 26 '15 at 15:31
Please show full paths of libraries used: System.Web.HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(string.Empty), null); – Spencer Sullivan Feb 11 '20 at 20:07

score 13 · Answer 2 · answered May 26 '11 at 19:12

A person is only authenticated once per request. Once ASP.NET determines if they are authenticated or not, then it does not change for the remainder of that request.

For example, when someone logs in. When you set the forms auth cookie indicating that they are logged in, if you check to see if they are authenticated on that same request, it will return false, but on the next request, it will return true. The same is happening when you log someone out. They are still authenticated for the duration of that request, but on the next one, they will no longer be authenticated. So if a user clicks a link to log out, you should log them out then issue a redirect to the login page.

score 6 · Answer 3 · answered Oct 29 '10 at 11:51

6

I remember having a similar problem and I think I resolved it by expiring the forms authentication cookie at logout time:

FormsAuthentication.SignOut();
Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddYears(-1);

answered Oct 29 '10 at 11:51

PatrickSteele

13,475
2
44
52

score 4 · Answer 4 · answered Dec 06 '16 at 09:30

Why are you executing logout code in the login.aspx?

Put this code in e.g. logout.aspx:

FormsAuthentication.SignOut()
Session.Abandon()
FormsAuthentication.RedirectToLoginPage()
HttpContext.Current.ApplicationInstance.CompleteRequest()
return

IsAuthenticated will be false in login.aspx. Login and logout code are now separated: Single Responsibility.

score 1 · Answer 5 · edited Jul 26 '19 at 06:11

In one of my application when I am signIn with credentials , navigating to different forms in an application then i have copied one of my navigated form url then logout form the application. in the search tab i have paste the url the browser is navigating to the specific form in my application without login. while checking the form authentication as page.User.Identity.IsAuthenticated getting as true even when we logout.The causes for this is while clearing the session on logout i have added

Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddYears(-1);

with this I am not getting that issue again and the flag page.User.Identity.IsAuthenticated getting as false when we are navigating to the different forms in an application without login.

score 1 · Answer 6 · answered May 16 '11 at 08:51

1

In your login.aspx Page_Load method:

if (!this.IsPostBack)
{
    if (HttpContext.Current.User.Identity.IsAuthenticated)
    {
        FormsAuthentication.SignOut();
        Response.Redirect(Request.RawUrl);
    }
}

answered May 16 '11 at 08:51

James McCormack

8,920
3
45
55

score 0 · Answer 7 · edited Jun 20 '20 at 09:12

0

Update

I got comments that my answer didn't work with many folks. I wrote this answer back in 2011 after tearing my hear. So I am pretty sure it solved the problem.

I started to research this 6 years old problem and came to this solution which I believe might be the proper way of deleting the cookies which is by creating them again but with expired dates.

This works for me

public virtual ActionResult LogOff()
    {
        FormsAuthentication.SignOut();
        foreach (var cookie in Response.Cookies.AllKeys)
        {
            Response.Cookies.Remove(cookie);
        }
        return RedirectToAction(MVC.Home.Index());
    }

edited Jun 20 '20 at 09:12

Community

1
1

answered May 26 '11 at 19:06

Korayem

10,709
5
65
52

1

Removing a cookie on response will _not_ cause it to be deleted. Cookies need to expire, that's the only way to delete ones that are already set. – Sergey Jan 22 '16 at 22:46
Also you would not want to "expire" all cookies only the auth cookies – Mike Dec 07 '17 at 19:50
@Mike how about this solution https://stackoverflow.com/a/24961207/80434? – Korayem Dec 11 '17 at 15:18
Yes that example works because the person goes through all the cookies on the *response* and changes them to be already expired, then those expired cookies are sent in the response and when the client browser receives them, it automatically deletes them because they're expired. The `HttpContext.Current.Request.Cookies.Clear();` line is modifying the current *request* object, not the response - that means that as the code continues processing that request, there are no cookies for it to work with. The response however *still* contains all the cookies, but expired. – Sergey Feb 15 '18 at 18:00
Your example does _nothing_ to change the expiration of the cookies. ...I do have to admit that I'm not sure if `HttpOnly` cookies have to be deleted that way. It's possible that all they need is to be removed. – Sergey Feb 15 '18 at 18:03

Page.User.Identity.IsAuthenticated still true after FormsAuthentication.SignOut()

7 Answers7

Update

Linked