Re: Cookie not expiring...

["bryan allott" <homegrown () bryanallott net>]

i dont think the session is actually available. maybe what is happening is 
that a new session with the same identifier is being resurrected? read the 
following from msdn..

"Session identifiers for abandoned or expired sessions are recycled by 
default. That is, if a request is made that includes the session identifier 
for an expired or abandoned session, a new session is started using the same 
session identifier. You can disable this by setting 
regenerateExpiredSessionId attribute of the <sessionState> configuration 
element to true. For more information, see Session Identifiers."

.NET Framework
Supported in: 2.0, 1.1, 1.0

try that?

----- Original Message ----- 
From: "spawn security" <spawn.security () gmail com>
To: <webappsec () securityfocus com>
Sent: Tuesday, August 16, 2005 7:08 PM
Subject: Cookie not expiring...


 I'm testing an application and after clicking on the logout button
the session management cookie does not expire. More specifically, the
application is using the FormsAuthentication class signout method to
"logout" an authenticated user.

Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object,
ByVal e As System.EventArgs) _
Handles cmdSignOut.ServerClick
FormsAuthentication.SignOut()
     Session.Abandon()
     Response.Redirect("login.aspx", True)
End Sub

According to Microsoft documentation, this
FormsAuthentication.SignOut method works by returning a Set-Cookie
header to the browser that sets the cookie's value to a null string
and sets the cookie's expiration date to a date in the past.  This is
only expiring the cookie on the client/browser side. Which will allow
a "malicious" user, who had access to the cookie, to reuse it after
user logs out.

 Does anyone know how to force the cookie to expire on the server side ?

Thanks.




--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.10/73 - Release Date: 15-Aug-05