WebSecurity.Logout() 和 Session.Abandon() 组合无法终止会话

Question

我一直在尝试找出为什么 WebSecurity.Logout() 和 Session.Abandon() 并且未能终止我的会话。我有一个托管在网络服务器上的应用程序无法注销用户。在调试中，它成功退出并按预期返回登录页面。我刚刚将 .Domain 属性添加到 cookie 中，以便在登录时他们可以访问子域的其余部分。我的cookie创建如下：

var authTicket = new FormsAuthenticationTicket(model.UserName, false, (int)FormsAuthentication.Timeout.TotalMinutes);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
//authCookie.Domain = "mysite.org"
authCookie.Domain = "127.0.0.1";
Response.AppendCookie(authCookie);

我发现另一个关于堆栈溢出的帖子建议覆盖会话，即使我这样做：

WebSecurity.Logout();
Session.Abandon();

//clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

//clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

有什么想法会阻止它在调试中不会发生的网络服务器上工作吗？是否有其他形式的网络服务器 cookie 可以保留此会话？

Answer 1

在清除 cookie 时，您也需要在 cookie 上设置域，否则它只会在完整域级别 (www.mysite.org) 设置新 cookie，而不是清除 mysite.org cookie。

//clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
cookie1.Domain = "mysite.org";
Response.Cookies.Add(cookie1);

//clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
cookie2.Domain = "mysite.org";
Response.Cookies.Add(cookie2);