WebApp Sec mailing list archives

Cookie not expiring...

From: spawn security <spawn.security () gmail com>
Date: Tue, 16 Aug 2005 13:08:00 -0400

  I'm testing an application and after clicking on the logout button
the session management cookie does not expire. More specifically, the
application is using the FormsAuthentication class signout method to
"logout" an authenticated user.

Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object,
ByVal e As System.EventArgs) _
Handles cmdSignOut.ServerClick
FormsAuthentication.SignOut()
      Session.Abandon()
      Response.Redirect("login.aspx", True)
End Sub

 According to Microsoft documentation, this
FormsAuthentication.SignOut method works by returning a Set-Cookie
header to the browser that sets the cookie's value to a null string
and sets the cookie's expiration date to a date in the past.  This is
only expiring the cookie on the client/browser side. Which will allow
a "malicious" user, who had access to the cookie, to reuse it after
user logs out.

  Does anyone know how to force the cookie to expire on the server side ?

Thanks.

Current thread:

Cookie not expiring... spawn security (Aug 16)
- Re: Cookie not expiring... bryan allott (Aug 17)
  - RE: Cookie not expiring... Dan Simon (Aug 17)
  - Re: Cookie not expiring... Rogan Dawes (Aug 17)
- Re: Cookie not expiring... Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: Cookie not expiring... Steven Rebello (Aug 17)
- RE: Cookie not expiring... David Knapman (Aug 17)
- Re: Cookie not expiring... dharmeshmm (Aug 17)
  - RE: Cookie not expiring... Dan Simon (Aug 17)
    - Windows 2003 Server Hardening Joe Osborn (Aug 18)
    - Re: Windows 2003 Server Hardening jcarr083 (Aug 19)

(Thread continues...)