Scott Hanselman

New FormsAuthentication.SignOut behavior in ASP.NET 2.0

July 12, '05 Comments [6] Posted in ASP.NET | DasBlog
Sponsored By

Calling FormsAuthentication.SignOut() removes the FormsAuthentication cookies in ASP.NET 1.1. Sometimes folks call it from their Login page, like this:

if (!Page.IsPostBack)
{
    FormsAuthentication.SignOut();
}

This says, "If this is a fresh load of this page, clear out the authentication cookies."

If this seems like a reasonable thing, that's because it is. However, if you run an ASP.NET 1.1 site under ASP.NET 2.0 without recompiling, as a number of dasBlog users do, you may get some odd behavior.

You'll visit the Login.aspx page and redirect to the Login.aspx page forever in a loop...it will make your URL look like this:

/Blog/login.aspx?ReturnUrl=%2fBlog%2flogin.aspx%3fReturnUrl%3d%252fBlog%252flogin.aspx%
253fReturnUrl%253d%25252fBlog%25252flogin.aspx%25253fReturnUrl%25253d%2525252fBlog%
525252flogin.aspx%2525253fReturnUrl%2525253d%252525252fBlog%252525252flogin.aspx%
52525253fReturnUrl%252525253d%25252525252fBlog%25252525252flogin.aspx%25252525253fReturnUrl%
5252525253d%2525252525252fBlog%2525252525252flogin.aspx%2525252525253fReturnUrl%2525252525253d%
52525252525252fBlog%252525252525252flogin.aspx%252525252525253fReturnUrl%252525252525253d%
5252525252525252fBlog%25252525252525252flogin.aspx%25252525252525253fReturnUrl%25252525252525253d%
525252525252525252fBlog%2525252525252525252flogin.aspx%2525252525252525253fReturnUrl%
525252525252525253d%252525252525252525252fBlog%252525252525252525252fLogin.aspx

Why? Because ASP.NET 2.0 add this code inside SignOut():

if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
    Response.Redirect(FormsAuthentication.GetLoginPage(null), false);
}

That's pretty interesting. If you call SignOut() it redirects you to the Login page, but only if your CookieMode isn't set to UseCookies. This is because ASP.NET 2.0 added support for cookieless FormsAuthentication. They store the auth information in the URL, and they redirect you because they want to clear the authentication info. Makes sense.

What doesn't make sense is why HttpCookieMode doesn't default to UseCookies. It defaults to Cookieless. Which is lovely under ASP.NET 2.0, but not under 1.1. It stays that way and confuses the system.

So, if you see this kind of infinite redirect with FormsAuthentication while running ASP.NET 1.1 applications under ASP.NET 2.0, you can add cookieless="UseCookies" to your <forms> element in web.config:

<forms cookieless="UseCookies" name=".DASBLOGAUTH" protection="All" timeout="60" path="/"/>

And then I went to sleep.

Now playing: Counting Crows - Angels of the Silences

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Tuesday, July 12, 2005 6:08:59 AM UTC
The loooooong URL above makes the page be about 10,000 pixels wide.
Tuesday, July 12, 2005 2:22:27 PM UTC
Is it just me or does anyone else think this line is weird?

cookieless="UseCookies"
Jiho Han
Tuesday, July 12, 2005 2:28:39 PM UTC
Great FormsAuthentication double-dip today, Scott. I gotta go revisit some code right away!
Sergio Pereira
Friday, July 15, 2005 7:52:32 PM UTC
Why do you say it's lovely that ASP.NET 2.0 defaults to cookieless?
Bob Uva
Friday, July 15, 2005 7:55:29 PM UTC
It's sarcasm. It's NOT lovely when running a 1.1 app because of this blog post.
Scott Hanselman
Friday, September 09, 2005 3:57:58 PM UTC
cookieless="UseCookies" ... yes thats a little strange, not sure why it wouldnt be cookieless="false"; but hey, it works, so what do i care? *shrugs* Thanks Scott!
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.