By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,492 Members | 1,242 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,492 IT Pros & Developers. It's quick & easy.

SignOut not working due to multiple encrypted TicketCookies?

P: n/a
Ok, I spend now half the night to get this working. And actuallyit works, the only problem is, my user can't sign out anymore.

Here is what I'm doing: I've got a web-app which has twosubdirectories: AdminArea and EditorArea, to which access isrestricted per role. Here an excerpt from my web.config:

<location path="EditorArea">
<allow roles="Editors" />
<deny users="*" />

Ok, and here goes the code which executes, whenever the user hitsthe logon button (the details of validating username andpassword are omitted):

// the user (sUser) is valid, password correct...
FormsAuthenticationTicket ticket = newFormsAuthenticationTicket(

string sEncTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = newHttpCookie(FormsAuthentication.FormsCookieName, sEncTicket);


What happens here is that I fetch the Role this user belongs tofrom a Database and add it to the UserData field of the ticket,so that I don't have to go check everytime the user requests apage.

Next thing is to authenticate each page request. Here is theevent handler in my global.asax:

protected void Application_AuthenticateRequest(Object sender,EventArgs e) {

if(Request.IsAuthenticated) {

string[] sRoles = new string[1];

FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(Request.Cookies.Get(Fo rmsAuthentication.FormsCookieName).Value);

if (ticket == null) {
throw new Exception("Authorisation Ticket invalid!");

sRoles[0] = ticket.UserData;

Context.User = new System.Security.Principal.GenericPrincipal(newForm sIdentity(ticket), sRoles);

Fine, it works. Only Admins can access the AdminArea and so on.But now I'm getting wild, because I want to add a Logoff. SayI've got a page that is called "AdminDefault.aspx". After thesuccessful logon, the (Admin-) User is redirected to this page.On the page is a button called sign out, which, in its clickhandler, transfers the user to the logout page, which actuallywill attempt to perform the logout using this:

Response.Cookies.Clear(); // try harder
Response.Redirect("Logon.aspx", true);</code>

If you are as tired as I am by know, you'll just try <i>anything</i>to get rid of the *?%"-cookies. The problem is, thatwhatever I do, the cookies remain (or are re-injected into theresponse?). I simply can't log out. I'm transfered to thelogon.aspx page, and looking at the trace I see that I received2 (TWO) encrypted cookies which belong to FormsAuthentication.

I really, really would be glad if somebody could shed some lightand send me to bed X|


From: Matthias Steinbart

Posted by a user from .NET 247 (

Nov 19 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.