On your logout routine, redirect the person to a page. The session.abandon is
not complete on the client side until you ask for another page, as it has to
send a new session cookie (server cookie) to your browser. Until that point
in time, you are still "authenticated".
As a safety measure, you can add a handler that ensures only active
credentials can access anything and, possibly, expire pages so the user, at
best, gets those ugly "page no longer valid" pages.
--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
***************************
Think Outside the Box!
***************************
"Fabio Cavassini" wrote:
I've got the following configuration in Web.config
<authentication mode="Forms">
<forms name=".ASPXCOOKIE" loginUrl="sigin.aspx" protection="All"
timeout="30" path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
When I first try to get a page from the application (let's say ot.aspx)
it redirects to the sigin.aspx page.
Once logged I execute Session.Abandon
Now, I can get the "ot.aspx" page again without having to sig in
It would only ask me again to sigin until I close the browser, wht?
Best Regards
Fabio Cavassini
http://www.pldsa.com