I'm working on a web-app using Membership Provider to implement authentication and user/role access to application sections.
I'm using LoginStatus control in my master page as logout link, but testing it I discovered that logout doesn't work. If I try to access again to any page of my application (after loggin-out) the page is shown...
I suppose this problem depends on data stored in user session that isn't cleared automatically. That's right?
So which is the corect way to implement logout and clear session?
NOTE
I'm not implementing any event for the LoginStatus control. I'm using Form authentication. In my login page I'm using this code:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
this.txtUser.Text, // Username associated with ticket
DateTime.Now, // Date/time issued
DateTime.Now.AddMinutes(30), // Date/time to expire
true, // "true" for a persistent user cookie
ruolo, // User-data, in this case the roles
FormsAuthentication.FormsCookiePath);
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
hash);
if (ticket.IsPersistent) { cookie.Expires = ticket.Expiration; }
Response.Cookies.Add(cookie);
In my web.config system.web section:
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" path="/" domain="keyforup.it"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Calling Session.Abandon() in LoggedOut event of LoginStatus control solves the issue, but I'm wondering if this is the best way to achieve this.