FormsAuthentication.SignOut() 在更改 CookieDomain 后不起作用
FormsAuthentication.SignOut() not working after changing the CookieDomain
在 web.config 中,我们有以下内容:
<authentication mode="Forms">
<forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />
</authentication>
我们已将其更新为:
<authentication mode="Forms">
<forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />
</authentication>
问题是,当我们调用 FormsAuthentication.SignOut().
时,已经登录 的用户不再注销
我现在不只是调用 FormsAuthentication.SignOut(),而是执行以下操作,但它仍然没有注销当前登录的用户:
private static void SignOut(HttpContextBase context)
{
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
// clear cookies server side
context.Request.Cookies.Clear();
context.Session.Abandon();
FormsAuthentication.SignOut();
}
private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)
{
context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")
{
Path = path,
Domain = domain,
Secure = false,
Shareable = false,
HttpOnly = httpOnly,
Expires = DateTime.Now.AddDays(-1d)
});
}
在 FormsAuthentication.SignOut() 中有一个调用 从响应中删除 所有以前的 cookie:context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)
更改所有内容的顺序似乎可以解决问题:
private static void SignOut(HttpContextBase context)
{
context.Session.Abandon();
FormsAuthentication.SignOut();
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
// clear cookies server side
context.Request.Cookies.Clear();
}
在 web.config 中,我们有以下内容:
<authentication mode="Forms">
<forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" />
</authentication>
我们已将其更新为:
<authentication mode="Forms">
<forms loginUrl="~/login" timeout="43200" slidingExpiration="true" name=".PX" enableCrossAppRedirects="true" domain="[websitename].com" />
</authentication>
问题是,当我们调用 FormsAuthentication.SignOut().
我现在不只是调用 FormsAuthentication.SignOut(),而是执行以下操作,但它仍然没有注销当前登录的用户:
private static void SignOut(HttpContextBase context)
{
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
// clear cookies server side
context.Request.Cookies.Clear();
context.Session.Abandon();
FormsAuthentication.SignOut();
}
private static void RemoveCookie(HttpContextBase context, string name, string path, string domain, bool httpOnly)
{
context.Response.Cookies.Add(new HttpCookie(name, "NoCookie")
{
Path = path,
Domain = domain,
Secure = false,
Shareable = false,
HttpOnly = httpOnly,
Expires = DateTime.Now.AddDays(-1d)
});
}
在 FormsAuthentication.SignOut() 中有一个调用 从响应中删除 所有以前的 cookie:context.Response.Cookies.RemoveCookie(FormsCookieName); (https://github.com/Microsoft/referencesource/blob/master/System.Web/Security/FormsAuthentication.cs#L421)
更改所有内容的顺序似乎可以解决问题:
private static void SignOut(HttpContextBase context)
{
context.Session.Abandon();
FormsAuthentication.SignOut();
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, FormsAuthentication.CookieDomain, false);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, true);
RemoveCookie(context, FormsAuthentication.FormsCookieName, FormsAuthentication.FormsCookiePath, null, false);
// clear cookies server side
context.Request.Cookies.Clear();
}