1

After the User signout, I can still use previous cookies using postman to access app resources.

My method

public void ClearCookieAndSessionData()
        {
            Session.Clear();
            //session.abandon();
            Session.RemoveAll();

            // clear authentication cookie
            HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
            authCookie.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(authCookie);

            // clear session cookie
            HttpCookie sessionCookie = new HttpCookie("ASP.NET_SessionId", "");
            sessionCookie.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(sessionCookie);

            HttpCookie aspCookies = new HttpCookie(".AspNet.Cookies", "");
            aspCookies.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(aspCookies);

            FormsAuthentication.SignOut();
            FormsAuthentication.RedirectToLoginPage();
        }

Need to implement: If the user signout then we can not access the app with previous cookies

Test code: https://github.com/amitsinghrawat1994/SignoutIssue The above code is generated by visual studio asp net MVC (.net framework) with Authentication option Individual User Account option.

is there any idea how I can stop access by previous cookies?

Amit Singh Rawat
  • 559
  • 1
  • 9
  • 27
  • Thanks for the quick reply @Crowcoder . Finger cross I am checking your reference and let you know If any success – Amit Singh Rawat Jun 28 '21 at 15:14
  • Hi @Crowcoder, In my app, I am also using Azure AD B2C authentication. Can I use it to check if that any HTTP call is authorized or not? – Amit Singh Rawat Jun 28 '21 at 15:20
  • 1
    I believe azure b2c is a jwt/oauth2 based system which will invalidate tokens when you log out. I'm not sure how you are using both forms authentication and b2c. – Crowcoder Jun 28 '21 at 15:30

0 Answers0