Thanks for your expert advise Jerry, but the question is still posed - why
FormsAuthentication.SignOut() does NOT work?
As far as your questions are concerned, I am language-agnostics - I go
between c#, java and vb without any difficulty. May be this is due to my
human language capabilities too. Not to brag, but I also read, write and
speak three (3) languages; fluently.
As for cross-posting, the answer is YES. I initially posted this question
on the security news group, but did not get an answer and I have not checked
yet but as of yesterday, I still did not get a response from
aspnet.security. I know the providers of news.microsoft.com hate it when
people like me cross-post, but cross-posting actually works and it helps me
get quicker help.
"Jerry III" <je******@hotmail.com> wrote in message
news:#J**************@TK2MSFTNGP12.phx.gbl...
The cookie is the ticket. If you tell the client to delete it and they
don't (or have a copy somewhere else) there's nothing you can do. You can only
set the ticket to be valid during a specific time period but you will never be
able to prevent this type of attack. You can make it harder by using SSL
for your requests but it still will not stop someone from copying the cookie
if they have access to the original browser (which you said they did).
Why did you post this in a csharp group? Apparently you're using VB.
Why did you post this in webservices group?
Why did you post this in a mobile group?
Why did you post this in a caching group?
Do you actually think that posting in more groups will result in more
answers?
Jerry
"Ali" <el********@hotmail.com> wrote in message
news:#R**************@TK2MSFTNGP09.phx.gbl... Our security people have been able to copy and use the
FormsAuthentication cookie. Our Authetication cookie is based on an encrypted ticket and we
use FormsAuthentication.SignOut() when users loggout or kill their session,
but apparently the secure ticket does not get removed from the server by
FormsAuthetication.SignOut().
We have been able to time-out the ticket on the server, but we need to
be able to remove the ticket at any time.
This is our logout procedure:
FormsAuthetication.SignOut()
Session.Abandon()
Response.Redirect("Autheticate.aspx")
Thanks