Click here to Skip to main content
15,895,656 members
Search within:


Articles / Programming Languages / C#
 
Tip/Trick

Request.IsAuthenticated is Always True After Call FormsAuthentication.Signout()

Rate me:
Please Sign up or sign in to vote.
5.00/5 (4 votes)
29 Jul 2016CPOL 35.8K   4   10
This trick describes how to fix issue.

Introduction

When you work with Forms Authentication, the expected behaviour when you call FormsAuthentication.Signout() is that Http.Current.Request.IsAuthenticated will return false.

You are wrong.

Using the Code

C#
FormsAuthentication.SignOut();

When you check this:

C#
bool isAuthenticated = Request.IsAuthenticated;

the result is always true.

It's not what we expect when signout is performed.

Fix the Issue

To fix it after signout process, you need to assign new user like below:

C#
FormsAuthentication.SignOut();
HttpContext.Current.User =
    new GenericPrincipal(new GenericIdentity(string.Empty), null);

The new GenericPrincipal with GenericIdentity is assigned to user in current context. New identity with empty name and null as authentication type.

Then it works!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Pawel Sienko
Poland Poland
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
First Prev Next
QuestionNot quite true Pin
yxhu31-Jul-16 20:23
yxhu31-Jul-16 20:23 
AnswerRe: Not quite true Pin
Pawel Sienko1-Aug-16 0:22
Pawel Sienko1-Aug-16 0:22 
GeneralRe: Not quite true Pin
yxhu1-Aug-16 15:35
yxhu1-Aug-16 15:35 
GeneralRe: Not quite true Pin
Pawel Sienko1-Aug-16 23:29
Pawel Sienko1-Aug-16 23:29 
AnswerRe: Not quite true Pin
Middle Manager1-Aug-16 7:02
Middle Manager1-Aug-16 7:02 
You're right, but I think the mistake in design here is that the sign out process is dependent upon request completion (or upon the initiation of the next request - not sure which it is).

When I discovered this issue the authentication check was not immediately in the same method block as the sign out call was made. It was within a separate module that was called as part of a post-logout process -- which happened within the scope of the request and kinda needs to happen right after sign out, right? This particular bit of code inspected the HttpRequest authentication independently of any knowledge of an imminent sign out. Such a dependency would be ridiculous in this context. It received a false positive for authentication and as a result caused undesired behavior.

Easy to track down as an issue but defies certain reasonable design practices and expectations, which can be a dangerous thing if not known to the developer.
GeneralRe: Not quite true Pin
yxhu1-Aug-16 15:23
yxhu1-Aug-16 15:23 
GeneralRe: Not quite true Pin
Middle Manager2-Aug-16 2:25
Middle Manager2-Aug-16 2:25 
GeneralRe: Not quite true Pin
yxhu2-Aug-16 2:39
yxhu2-Aug-16 2:39 
GeneralRe: Not quite true Pin
Middle Manager2-Aug-16 2:43
Middle Manager2-Aug-16 2:43 
GeneralRe: Not quite true Pin
yxhu2-Aug-16 3:04
yxhu2-Aug-16 3:04 
Last Visit: 31-Dec-99 18:00     Last Update: 10-May-24 8:30Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 29 Jul 2016

Article Copyright 2016 by Pawel Sienko
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1