none
Forms based authentication - Cookie doesn't expire on Sign Out

    Question

  • Hi,

     We had a security testing on some of our SharePoint sites. The tester ran some Security tools on Firefox and could find the authentication cookie in the URL. Even after a user signs out , we are able to get into the portal with the authentication URL that contains the cookie.

    We found a solution on msdn

    http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx

    but it is totally unreasonable to have every user's state stored in a persistent storage and update a flag every time the user's signs out.

    Can anyone help with how we can expire a forms based authentication cookie?

    Thanks

    Adi


    AdiS

    Monday, February 27, 2012 6:24 PM

All replies