Home > Net >  FormsAuthentication created ticket can't clear, is the BUG?
FormsAuthentication created ticket can't clear, is the BUG?

Time:10-08



The configuration file: 
 & lt; Configuration>


The login operation: 
 protected void btnLogin_Click (object sender, EventArgs e) 
{
Var isPersistent=false; 
FormsAuthentication. SetAuthCookie (" admin ", isPersistent); 
This. The Response. Redirect (FormsAuthentication DefaultUrl); 
}


Log out operation: 
 protected void Page_Load (object sender, EventArgs e) 
{
FormsAuthentication. SignOut (); 
//remove the client cookies 
HttpCookie cookie1=new HttpCookie (FormsAuthentication FormsCookieName, ""); 
Cookie1. Expires=DateTime. Now. AddYears (1); 
The Response. Cookies. The Add (cookie1); 

The Session. Abandon (); 
//reset the login id (no effects) 
HttpContext. Current. User=new GenericPrincipal (new GenericIdentity (string. The Empty), null); 
}


Demonstration effect:
Before login, trying to access requires login page


























Don't because of FormAuth authentication mechanism, the ticket cannot be cleared?
If someone illegally obtaining AuthKey, even if the user exit and modify the password, malicious request AuthKey to come over, or can be a successful login, need to add?


Resources:
FormsAuthentication. SignOut Method (System. Web. Security) | Microsoft Docs
https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.signout? Redirectedfrom=MSDN& View=netframework 4.8 # System_Web_Security_FormsAuthentication_SignOut

Parse ASP.NET for less than a User name and the cancellation of the User. The Identity. IsAuthenticated value still is true - ten three blog
https://shiyousan.com/post/636409990481316726

CodePudding user response:

All the source code:
Link: https://pan.baidu.com/s/1fvk2MIIdVgkFH_D3q8mE5g
The extracted code: iil8

CodePudding user response:

The Session/Authentication not removed server - side after logout | The ASP.NET Forums
https://forums.asp.net/t/1988295.aspx? The Session, the Authentication and not + removed + server side + + after + logout

CodePudding user response:

you have put the keys in cookies, and then got the key, of course, can simulate the lock from here,
Or in other ways, or the lock opened with a layer of authentication,

CodePudding user response:

reference fat uncle write code reply: 3/f
you have put the keys in cookies, and then got the key, of course, can simulate the lock from here,
Or in other ways, or the lock opened with a layer of validation,


If normal expired, even the "key", also can't open the lock, the ASP.NET is how to achieve the original keys out of date?

Page link:https//www.codepudding.com/net/57058.html

Prev:SSRS mail subscription chart scaling problem, deformation problem
Next:Data Table how to realize the merger of Table in the same field
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding