Forms Authentication Persistent Cookies Problem

  • Thread starter Thread starter Joey Powell
  • Start date Start date
J

Joey Powell

Hello, I originally configured my application to use persistent
cookies in error. Now, I need to find a way to disable those cookies.
I have tried changing usernames and passwords for all of the users,
but that doesn't help - they can still access our site using their old
persistent cookies. How can I disable them and force the users to log
in again?
 
Hi Joey,

Based on my research and experience, we have two solutions for this issue.

1. Clean the cookies on the client side.

2. Call the FormsAuthentication.SignOut Method.

Please refer to the following URLs for the detailed information regarding
this issue.

FormsAuthentication.SignOut Method
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
frlrfSystemWebSecurityFormsAuthenticationClassSignOutTopic.asp
"...
This removes either durable or session cookies.
..."

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using C# .NET
http://support.microsoft.com/default.aspx?scid=kb;en-us;301240

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using Visual Basic .NET
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Jacob, I understand that. But neither of these solutions is practical,
because I don't have access to the client machines. Doesn't it make
sense to assume that asp.net would provide some way for me to control
access to *my* application, and from *my* web server.

If I want to "turn off" the user's access to my application, are you
saying that I will have to travel hundreds of miles and visit dozens
of machines to manually remove persistent cookies? If that is the case
then I am the developer of a web application that I cannot control
access to. This does not make any sense to me. Please advise.
 
Hi Joey,

Thank you for your update. It seems that there is some misunderstanding in
this issue.

As I understand, what you really want is:

1. Disable the cookies so that the user cannot access the web page without
login.

2. You still want to use the persistent cookies feature in your web
application.

My meaning of my past post is not that you have to travel hundreds of miles
and visit dozens of machines. I think that you can ask your customers to do
it on the client side. I apologize for it if there is any misunderstanding.
Since the two solutions in my past post are not practical to you, I have
another solution for your reference. Please check the following articles
carefully which I have mentioned in my past post:

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using C# .NET
http://support.microsoft.com/default.aspx?scid=kb;en-us;301240

HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by
Using Visual Basic .NET
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308157

In the web.config file, we can find the following code:
...
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>
...

Please change the value of the "name" (name=".ASPXFORMSDEMO") and rebuild
your web application. In addition, would you please tell me the value of
the "timeout" on your side?

If I have misunderstood your concern, please feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Thanks guys for your help. I finally got it. I did not realize that I
all I needed to do was change the name of the cookie!
 
Back
Top