Micah Armantrout Micah Armantrout - 2 months ago 21
ASP.NET (C#) Question

Asp.net get rid of session on server on logout after clearing cookies, session, and formsauth

I am having trouble with a security issue of asp.net. On log out I want to make sure the session is destroyed so that someone can't take the same sessionid and auth cookies and edit there cookies and the server still responses to the session.

FormsAuthentication.SignOut();
Session.Abandon();
Session.RemoveAll();
Session.Clear();


I have also tried to write new cookies to the client

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);


I have tried using the following in different orders and still no dice. I can am still logged in if I use the original sessionid and Auth cookies. I want the server to totally forget about that sessionid when I logout. Is this even possible ?

Answer

The server does forget about everything related to that session and so make that session id invalid when you use Session.Clear().

As msdn documentation says:

Removes all keys and values from the session-state collection

So even if someone uses the same session id there will be no information attached to it in the server.

[Edit]

As Erik Funkenbusch points, my solution only works if you store authentication information in the session (obviously). This won't work if you have specific cookies for your authentication system.