Thursday, January 17, 2013

ASP.NET Session.Abandon() doesn't work - not Logged out

Issue:
Calling Session.Abandon() does not clear the full session and invalidate the login. User is not logged out by this.

Details:
Session.Abandon() Clears the current session of the user. This does not specifically ensures to clear all Session. For that you need to specifically call the Session.Clear() method. But many users expect to logout the user after these methods are called, which doesn't work well. Also this server side method doesn't clear the cached session on the client browser.

Solution:
If you want to invalidate the user login, the best solution is to use the ASP.NET LoginStatus control.

<asp:LoginStatus id="LoginStatus1" runat="server" LogoutAction="RedirectToLoginPage" />

Make sure to set the LogoutAction property to "RedirectToLoginPage". This will invalidate the user's session and Log him out.

No comments:

Post a Comment