|
 Saturday, February 24, 2007 |
| Can’t sign out of website in ASP.NET 2.0 / Single Sign On |
|
This stupid issue has plagued me for a while now. I eventually figured out what the issue was related to, I just didn’t know how to fix it until recently. The issue I was running into was this:
A user types in “mydomain.com” into the address bar and then logs in, checking the “Remember Me” checkbox. The user comes back to the website on at a later date and is automatically logged in as they should be. Then they decide to logout but when they click the logout link at the top of the page, the page refreshes and they aren’t logged out.
I wasn’t sure what the issue was so I wrote a custom logout page that my Logout link directs the user to. The logout page just executes the following code.
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If User.Identity.IsAuthenticated = True Then
Session.Abandon()
FormsAuthentication.SignOut()
End If
Response.Redirect("~/Login.aspx")
End Sub
However, this created another issue. Sometimes the user would be directed to the Login page after the code was executed but would just see a blank login page. If they navigated back to the home page, they would still be logged in.
I discovered that if the user logged in when the address read http://mydomain.com/login.aspx, and then later tried to click logout when the address read http://www.mydomain.com/somepage.aspx, they are not logged out. So it appears that the forms authentication cookie is specific to whether www is present in the URL.
I was able to fix this issue by writing code to change the cookie that was being used to authenticate the user. However, I just found the correct way to fix this issue. If you do a lot of web development and frequently have to program around the forms security model, I highly recommend the following book. ASP.NET 2.0 Security, Membership, and Role Management (WROX) by Stefan Schackow.
After reading chapter 5 and the section “Passing Tickets across Applications”, the answer was clear. It’s really a Single Sign On or SSO issue. In the Forms section of the web.config I needed to specify the domain. Otherwise, when the cookie is issued it will use the domain that is showing in the address bar which may or may not contain the www depending on how the user typed it in. Here is the code.
<forms loginUrl="Login.aspx" protection="Validation" timeout="5000000" path="/" domain="mydomain.com" />
Adding the domain property to the Forms tag, causes the forms authentication ticket to be issued using the exact domain you specify. It will also use that domain setting when signing out and expiring the ticket. Using this setting will allow users to log in at http://mydomain.com and still be authenticated when transferring them to http://subdomain.mydomain.com. |
jeremy at 11:16 AM |
(8) Comments |
Add a comment |
Permalink
|
|
|
|