Home/ Questions/Q 6973247
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T17:05:01+00:00

I’m having an odd problem with my sessions. I haven’t found a solution even

  • 0

I’m having an odd problem with my sessions. I haven’t found a solution even after searching through the internet for a couple of days and I find it really strange that nobody else seems to be having this problem, which makes me think that it could be something I’m doing wrong.

If I log onto my website and visit a page decorated with the [Authorize] attribute (i.e. it requires the user to have logged on in order to access it), save the request with fiddler, log out and re-issue the request with fiddler one would expect that to fail (or re-direct me to the login page at least) but no, it returns the page as if I were still logged in.

When I’m logging out this is what I do (I’m using asp.net forms authentication)

        FormsAuthentication.SignOut();           
        Session.Clear();
        Session.Abandon();
        Session.RemoveAll();
        Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId",""));

That should work… but it doesn’t.

In case anyone is wondering this is what I am using:
IIS 7.5
MVC 3.0
.NET 4.0

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If I log onto my website and visit a page decorated with the [Authorize] attribute (i.e.
    it requires the user to have logged on in order to access it), save
    the request with fiddler, log out and re-issue the request with
    fiddler one would expect that to fail

    Why would you expect something like this? Forms authentication uses cookies to track logged in users. When you do FormsAuthentication.SignOut(); all that happens is that you remove the authentication cookie so that on subsequent requests from this browser the cookie is no longer sent and the server thinks that the user is not logged in. If on the other hand you have captured a valid cookie with Fiddler, you are perfectly capable of sending a valid request to the server (in the time for which this cookie is valid obviously). There is nothing on the server for it to know that you used fiddler, right? It’s completely stateless.

    If you wanted to avoid this behavior (which is by design) you will have to keep track somewhere on the server either a list of online users, or add some flag in the database about the user which indicates whether he is online or not. Then you will write a custom Authorize attribute that will check in this centralized store whether the user is allowed or not to login. When he logs out you will change this flag. Obviously if he closes his browser you won’t be able to change the flag but if he signs out normally you will know that even if someone had captured the authentication cookie, he will not be able to use it to issue a valid request.

    • 0