Hi
While looking into Anti-XSRF on Web Forms v4.5.1 - Site.Master I found the following template code:
<asp:LoginStatus runat="server"
LogoutAction="Redirect"
LogoutText="Log off"
LogoutPageUrl="~/"
OnLoggingOut="Unnamed_LoggingOut" />
protected void Unnamed_LoggingOut(object sender, LoginCancelEventArgs e)
{
Context.GetOwinContext().Authentication.SignOut();
}I have been using LoginStatus with Forms Authentication since ASP.NET v3.5.1 without calling any event handler for logging out; and it works fine because the .ASPXAUTH cookie is not in the browser after a logout.
So, I started digging into LoginStatus on this forum , I found this post:
The LoginStatus just redirects you to the Logout page where you need to write code to actually log out.It does not by itself perform the log out. To perform a logout, do this in the code-behind:
FormsAuthentication.SignOut();
Of real concern is: "It does not by itself perform the log out" - IS THAT REALLY TRUE?
From LoginStatus Class on MSDN
When the user is logged in to the Web site, the LoginStatus control provides a link to log out of the Web site.Logging out of the Web site clears the user's authentication status and when using cookies will clear the cookie from the user's client computer. On any subsequent visit to the Web site, the LoginStatus control will display the prompt to log in.
When a user uses the LoginStatus control to log out of a Web site, all data present in view state and all post data is lost.
Again this has been my experience but the above forum post has me wondering. Furthermore, the MSDN documentation does not say you must explicitly assign the OnLoggingOut for the above to occur
In a nutshell, if you just have
<asp:LoginStatus ID="LoginStatus1" runat="server"/>
is that sufficient to implicitly logout without explicity doing a FormsAuthentication.SignOut() ?