2008年9月5日

[ASP.Net] Authentication ticket added manually by code could not be removed

When validating users in custom authentication module or aspx codes, we can manually add authentication ticket to the response like codes listed bellow:

FormsAuthenticationTicket fat = new FormsAuthenticationTicket(value, true, 10);


HttpCookie cookie = new HttpCookie(".AUTHFORM");


cookie.Value = FormsAuthentication.Encrypt(fat);


cookie.Expires = fat.Expiration;


HttpContext.Current.Response.Cookies.Add(cookie);




When trying to remove the ticket when its not needed, you may want do it by





FormsAuthentication.SignOut();


//or


HttpContext.Current.Response.Cookies.Remove(".AUTHFORM");




Although MSDN states that FormsAuthentication.SignOut() remove forms-authentication ticket, but you sadly realized that this seem not true when dealing with ticket created by codes.



So to solve this, we simply set the cookie's expiration to Now.





HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName].Expires = System.DateTime.Now;



This expires existing ticket.

沒有留言:

About Me