Hello,
I'm trying to
solve the following problembut I can't:
The issue is prevent "broken authentication and session management" security problem.
In logout I put this code:
Membership.DeleteUser(Membership.GetUser(true).UserName, true); MembershipProvider.SignOut(MembershipLogoutMethods.CloseButton);FormsAuthentication.SignOut();
Session.Abandon(); Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddSeconds(-30); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId",""));
I intercep a post request that delete and application user.
Then I logout with the code before and send a request with another application (Burp) with the request I intercep before and the web applicationallows
meto run therequest
anddelete the user. When I check in BeginRequest if I authenticated (Request.IsAuthenticated) the application say "YES"
I don´t understand why I authenticated if I logout the session.
In webconfig I have following configuration:
<authentication mode="Forms" ><forms loginUrl="Login.aspx?cod_deployment=189" timeout="10" name="SFNetAuthCookie"></forms></authentication>
<sessionState cookieless="false" regenerateExpiredSessionId="true" timeout="10" />
What is the problem??