Fix where the encrypted session id gets corrupted resulting in a loop and a 500

error Explicitly cleared the session and authentication cookies
2012-07-25 19:33:43 +04:00 · 2012-07-25 19:33:43 +04:00 · 2a790f105d
commit 2a790f105d
parent ba1e53b8d2
2 changed files with 23 additions and 7 deletions
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
@ -217,6 +217,23 @@ namespace WebsitePanel.Portal
        public static void UserSignOut()
        {
            FormsAuthentication.SignOut();
+
+            if (HttpContext.Current.Session != null)
+            {
+                HttpContext.Current.Session.Clear();
+                HttpContext.Current.Session.Abandon();
+            }
+
+            // Clear authentication cookie 
+            HttpCookie rFormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
+            rFormsCookie.Expires = DateTime.Now.AddYears(-1);
+            HttpContext.Current.Response.Cookies.Add(rFormsCookie);
+
+            // Clear session cookie  
+            HttpCookie rSessionCookie = new HttpCookie("ASP.NET_SessionId", "");
+            rSessionCookie.Expires = DateTime.Now.AddYears(-1);
+            HttpContext.Current.Response.Cookies.Add(rSessionCookie); 
+
            HttpContext.Current.Response.Redirect(LoginRedirectUrl);
        }

--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/SecureSessionModule.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/SecureSessionModule.cs
@ -64,15 +64,17 @@ namespace WebsitePanel.WebPortal
            // Look for an incoming cookie named "ASP.NET_SessionID" 
            HttpRequest request = ((HttpApplication)sender).Request;
            HttpCookie cookie = GetCookie(request, "ASP.NET_SessionId");
+            HttpCookie authCookie = request.Cookies[FormsAuthentication.FormsCookieName];

            if (cookie != null)
            {
                // Throw an exception if the cookie lacks a MAC 
                if (cookie.Value.Length <= 24)
                {
-                    FormsAuthentication.SignOut();
-                    HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"]));
-                    cookie.Value = GetSessionIDMac(cookie.Value, request.UserHostAddress, request.UserAgent, _ValidationKey);
+                    if ((authCookie != null))
+                    {
+                        WebsitePanel.Portal.PortalUtils.UserSignOut();
+                    } 
                    return;
                }

@ -87,10 +89,7 @@ namespace WebsitePanel.WebPortal
                // Throw an exception if the MACs don't match 
                if (String.CompareOrdinal(mac1, mac2) != 0)
                {
-                    FormsAuthentication.SignOut();
-                    HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"]));
-                    cookie.Value = GetSessionIDMac(cookie.Value, request.UserHostAddress, request.UserAgent, _ValidationKey);
-
+                    WebsitePanel.Portal.PortalUtils.UserSignOut();
                }

                // Strip the MAC from the cookie before ASP.NET sees it