更改CookieDomain后,FormsAuthentication.SignOut()无法正常工作

时间:2018-11-07 20:33:21

标签: c# forms-authentication

在web.config中,我们有以下内容:

<authentication mode="Forms">
  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />
</authentication>

此后我们将其更新为:

<authentication mode="Forms">
  <forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />
</authentication>

问题是,当我们致电FormsAuthentication.SignOut()时,已经已登录的用户不再注销。

我现在执行以下操作,而不只是调用FormsAuthentication.SignOut(),但它仍未退出当前登录的用户:

private static void SignOut(HttpContextBase context)
{
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);

    // clear cookies server side
    context.Request.Cookies.Clear();

    context.Session.Abandon();
    FormsAuthentication.SignOut();
}

private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)
{
    context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")
    {
        Path = path,
        Domain = domain,
        Secure = false,
        Shareable = false,
        HttpOnly = httpOnly,
        Expires = DateTime.Now.AddDays(-1d)
    });
}

1 个答案:

答案 0 :(得分:2)

FormsAuthentication.SignOut()中有一个调用,它从响应中删除所有先前的cookie:context.Response.Cookies.RemoveCookie(FormsCookieName);https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421

更改所有内容的顺序似乎可以解决此问题:

private static void SignOut(HttpContextBase context)
{
    context.Session.Abandon();
    FormsAuthentication.SignOut();

    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
    RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);

    // clear cookies server side
    context.Request.Cookies.Clear();
}
相关问题
最新问题