FormsAuthentication.SignOut Method (System.Web.Security)

SignOut Method

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2005/.NET Framework 2.0

Other versions are also available for the following:

.NET Framework Class Library

FormsAuthentication.SignOut Method

Removes the forms-authentication ticket from the browser.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

Syntax

Visual Basic (Declaration)

Public Shared Sub SignOut

Visual Basic (Usage)

FormsAuthentication.SignOut

public static void SignOut ()

C++

public:
static void SignOut ()

public static void SignOut ()

JScript

public static function SignOut ()

Remarks

The SignOut method removes the forms-authentication ticket information from the cookie or the URL if CookiesSupported is false. You can use the SignOut method in conjunction with the RedirectToLoginPage method to log one user out and allow a different user to log in.

If you run exclusively in cookieless mode, or if you support mixed mode, you should explicitly control the redirect to the login page if you require special business logic to execute as a result of removing the anonymous identifier.

When the SignOut method is called, a redirect to the application's login page is made by calling the Redirect method with the endResponse parameter set to false. The redirect does not take place until the current page has finished executing, so additional code can be run. If the code does not contain an explicit redirect to another page, the user is redirected to the login page configured in the application's configuration file.

Security Note
Calling the SignOut method only removes the forms authentication cookie. The Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie. To improve security when using a forms authentication cookie, you should do the following:

Example

The following code example clears the forms-authentication cookie using the SignOut method and redirects the user to the login page using the RedirectToLoginPage method.

Visual Basic

<%@ Page Language="VB" %>
<%@ Import Namespace="System.Web.Security" %>

<script runat="server">

Public Sub LoginLink_OnClick(sender As Object, args As EventArgs)
  FormsAuthentication.SignOut()
  FormsAuthentication.RedirectToLoginPage()
End Sub

</script>
<html>
<body>

<form runat="server">
Welcome <B><%=User.Identity.Name%></B>. Not <B><%=User.Identity.Name%></B>? 
Click <asp:LinkButton id="LoginLink" Text="here" 
                      OnClick="LoginLink_OnClick" runat="server" />
to sign in.

<!-- Page Contents -->

</form>



</body>
</html>

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>

<script runat="server">

public void LoginLink_OnClick(object sender, EventArgs args)
{
  FormsAuthentication.SignOut();
  FormsAuthentication.RedirectToLoginPage();
}

</script>
<html>
<body>

<form runat="server">
Welcome <B><%=User.Identity.Name%></B>. Not <B><%=User.Identity.Name%></B>? 
Click <asp:LinkButton id="LoginLink" Text="here" 
                      OnClick="LoginLink_OnClick" runat="server" />
to sign in.

<!-- Page Contents -->

</form>



</body>
</html>

Platforms

Windows 98, Windows 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

Version Information

.NET Framework

Supported in: 2.0, 1.1, 1.0

Reference

FormsAuthentication Class
FormsAuthentication Members
System.Web.Security Namespace

Other Resources

ASP.NET Web Application Security