Different HttpCookie Behavior on each server

87 views Asked by At

On my application a button is responsible for redirecting user to the login page, when it runs on the local server, every thing work fine and after calling Logout method, it make a null value cookie and put it on the response:

public ActionResult Logout()
{
    HttpContext context = HttpContext.Current;
    context.Session.Abandon();
    HttpCookie authenticationCookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authenticationCookie == null)
        authenticationCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
    authenticationCookie.Value = null;
    authenticationCookie.Secure = true;
    authenticationCookie.HttpOnly = true;
    authenticationCookie.Expires = DateTime.Now.AddDays(-1);
    context.Response.Cookies.Add(authenticationCookie);
    return Redirect("~");

}

Now because cookie does not have value it redirects to the login page

In global.asx checks for authentication info

  protected void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs args)
    {
        SUser user = new SUser();
        user.ValidateAuthentication(args);
    }

And now it redirects to the login page

protected void Application_EndRequest(object sender, EventArgs e)
{
    SUser.RedirectSsoAuthentication();
}

But when application is running on the remote server, Logout does not seem to be working and it just redirect to the root path

It might be from my side's codes that missed something?

You can also take look at my browser cookies enter image description here

By the way, changing browser didn't make any difference

I'm not sure but it might be related to cookie per domain limit.

As you see, in response cookie has no value, but when you send request, cooke value is what it was before logout enter image description here

There is no issue When it's tried on different browsers or different accounts!

1

There are 1 answers

0
Abolfazl On BEST ANSWER

Finally the problem disappeared when the code changed in the following way:

public ActionResult Logout()
{
            var cookies = HttpContext.Current.Response.Cookies;
            var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
            cookie.HttpOnly = true;
            cookie.Secure =true;
            cookie.Domain = "";
            cookies.Add(cookie);
            HttpContext.Current.Session.Abandon();

    return Redirect("~");

}