Issues with ASPXAUTH Cookie when logging out a Virtual User

I am trying to prevent cookie replays on our site.
Using Sitecore 8 with forms auth like so:

    <authentication mode="None">
      <forms name=".ASPXAUTH" cookieless="UseCookies" />

When a user successfully logs in, they are logged in as a Virtual User, and everything is fine. The.ASPXAUTH cookie is successully created. I take record of this value for later use...

When a user logs out, we logout the Virtual User and then Delete the user,  like so:

The sitecore user is now Anonymous, the .ASPXAUTH cookie is removed and the user is logged out successfully.

HOWEVER - if i then recreate the .ASPXAUTH cookie manually in a different browser with the original cookie value, the Virtual User is recreated and we can access their member page, when they should have been logged out and deleted.
Why is this the case? Is this expected behaviour? And how can I prevent this from occuring?

Thanks - Michael

  • Hi Michael,

    Microsoft is aware of issue ( and has documented to use a custom persistent solution like using DB for keeping track of invalid sessions that I know could quickly become a mess. So, following is what I did in my solution:

    You can make use of Sitecore's membership user comment property.

    On a normal login page of yours, you can add the following:
    var membershipUser = System.Web.Security.Membership.GetUser(SC.Context.User.Name);
    membershipUser.Comment = DateTime.Now.ToString();

    When logging out:
    var membershipUser = Membership.GetUser(SC.Context.User.Name);
    membershipUser.Comment = string.Empty;

    But if you re-use that .ASPXAUTH cookie to get in, you will be bypassing the normal login flow and hence on say the home page "OnLoad" handler, you can add the following to immediately logout if the comment field is empty even though you are logged-in. So, no back door entry.
    if (SC.Context.User.IsAuthenticated)
    var membershipUser = Membership.GetUser(SC.Context.User.Name);