How to Implement logout handler in the web application? ASP.NET

Wait, wait! Don’t skip this section. A simple logout can be very cool.

First question: why do people implement a logout page as an . aspx file when it just calls FormsAuthentication.Signout and redirects to a homepage? You really don’t need to make ASP.NET load an .aspx page, produce HTML, and process through the page life cycle only to do a cookie cleanup and redirect. A simple HTTP 302 can tell the browser to go back to the homepage .So, the logout page is a great candidate for HTTP handlers without any UI.

shows how to implement a logout handler inside a file namedLogout.ashx:

Implementing a logout handler in the web application

Implementing a logout handler in the web application (continued)


Handlers are a lot lighter than the .aspx page because they have a very simple life cycle, are instance reusable, and generate a small amount of code when compiled at runtime.

The idea here is to remove all cookies related to the site instead of just removing the forms authentication cookie.When you use an anonymous identification provider, you will find two cookies:.DBAUTH and .DBANON. The form’s authentication provider generates the first one and the other one is from the anonymous identification provider.These cookies are because an anonymous user is different than the user that is logged in. If you call FormAuthentication.Signout( ), it will just clear the .DBAUTH cookie, but the other one will remain as is. So, after logout, instead of getting a brand new setup, you will get the old setup that you saw when you were an anonymous user during your first visit.The anonymous user is converted to a registered user by directly modifying the aspnet_users table. So, the anonymous user no longer exists inmthe database. This means the cookie for the anonymous user points to something that no longer exists. So, when the ASP.NET membership provider tries to find the user from the anonymous cookie, it fails.

In a web portal, we want the user to start over with a fresh setup. So, we need to clear both cookies and any other cookie that the widget scripts have used for storing temporary states. You never know what widgets will do with the cookie. Some widgets can secretly keep track of your logged-in session by storing info in a different cookie.When you log out and become an anonymous user, the widget can still access that secret cookie and find out about you. For example, it can easily store your email address when it is loaded in a logged-in session, and after you log out, it can still read that email address from the cookie. It’s a security risk to have any cookie left from your logged-in session after logging out.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

ASP.NET Topics