Signing Out with cookies

Hello,

I'm using the cookie authentication module and I'm creating and unsetting the cookies via ASP. When I reset the cookie to blanks or even other invalid values CS does not log the user out if the cookie is invalid. Is this normal behavior? If so, please fix, this is a security flaw, CS should be constantly monitoring the authentication cookie for validity.

Is anyone else having this problem?

Thanks,
Fred

 

If you're trying to log-out the users, you should be doing it by expiring the cookie, not by setting it to an invalid value. 

Hope this helps,

Xander 

Hmmm, not sure leaving the cookie with all the info on the machine is a good idea, should consider resetting the cookie and expiration. Thanks for the tip

I am having this problem as well. We set up cookie authentication, and using the Forms Authentication cookie I am able to login correctly. We have a separate app that handles the logging in and out of CS and other custom apps. It sets the ASPXAUTH cookie and forwards the user back to CS, and CS recognizes that the user is logged in. However, if I expire the ASPXAUTH and then go back to CS it still says that I am logged in. Should it check the authentication for each request?

From a secure application design point, it should check the cookie every time a user specific function is accessed to validate the user. At the very least it should check the cookie in intervals of 15 minutes. It doesn't appear this is the case, so it doesn't log out even if the cookie is expired. This is very frustrating, as far as I'm concerned the cookie authentication mod doesn't have logout capabilities, or it's bugged.

I have been working on a cross-site authentication  implementation using Cookie Auth, and have found no issues with security.

 

If I expire the cookie, and go back to CS and 'refresh' the page (due to the browser caching my last page visit), I am no longer logged in.  If I change the value of the cookie and make it become 'invalid' then I again go back to the CS site and refresh (again, browser cache issues) ... I am prompted with an error stating the cookie values are bad (in this case, I am using Encrypted Values and if I 'zero-out' the Value of the cookie -- CS throws exceptions)

 

I use the 'Web Developer' toolbar add-on for Firefox to help me test these cookie scenerios.

 

If anyone is running into these issues, it is most likely due to browser caching issues -- or improperly expiring the cookie (if you expire the cookie in .NET Code, you must get the cookie from Request.Cookie, change the Expiration, Set the Domain and then add it back to Response.Cookies)