Page.User.Identity.IsAuthenticated still true after FormsAuthentication.SignOut()
A person is only authenticated once per request. Once ASP.NET determines if they are authenticated or not, then it does not change for the remainder of that request.
For example, when someone logs in. When you set the forms auth cookie indicating that they are logged in, if you check to see if they are authenticated on that same request, it will return false
, but on the next request, it will return true
. The same is happening when you log someone out. They are still authenticated for the duration of that request, but on the next one, they will no longer be authenticated. So if a user clicks a link to log out, you should log them out then issue a redirect to the login page.
I remember having a similar problem and I think I resolved it by expiring the forms authentication cookie at logout time:
FormsAuthentication.SignOut();
Response.Cookies[FormsAuthentication.FormsCookieName].Expires = DateTime.Now.AddYears(-1);
Page.User.Identity.IsAuthenticated
gets its value from Page.User
(obviously) which is unfortunately read-only and is not updated when you call FormsAuthentication.SignOut()
.
Luckily Page.User
pulls its value from Context.User
which can be modified:
// HttpContext.Current.User.Identity.IsAuthenticated == true;
FormsAuthentication.SignOut();
HttpContext.Current.User =
new GenericPrincipal(new GenericIdentity(string.Empty), null);
// now HttpContext.Current.User.Identity.IsAuthenticated == false
// and Page.User.Identity.IsAuthenticated == false
This is useful when you sign out the current user and wish to respond with the actual page without doing a redirect. You can check IsAuthenticated
where you need it within the same page request.