Facing an issue with cookieless Forms Authentication in an ASP.NET sub-application that is integrated with a main application built in Python

Question

Hello,

We are facing an issue with cookieless Forms Authentication in an ASP.NET sub-application that is integrated with a main application built in Python.

The main application (Python) and sub-application (ASP.NET) work together.The ASP.NET sub-application uses Forms Authentication in cookieless mode (UseUri).When the main application logs out, it must also log out the sub-application by calling https://subapp.example.com/logout.aspx.The issue is that the sub-application is still accessible if the URL is available from developer tools after logging out from the main app.

Since the Forms Authentication is cookieless, I am unable to fetch the authentication cookie from the sub-application.

The only way to log out is by manually calling https://subapp.example.com/forms authentication cookie/logout.aspx, which works only if the sub-application explicitly uses FormsAuthentication.SignOut().However, since it’s cookieless, we cannot track the authentication ticket properly.

How can I fetch the authentication ticket (or simulate Forms Authentication logout) in a cookieless environment?

Is there a recommended way to enforce a complete logout across both applications?

Is there any way to programmatically invalidate the Forms Authentication ticket even if the URL remains accessible?

How to access the forms authentication token?

Looking for a way to invalidate the authentication ticket globally, but no success so far.

Would appreciate any suggestions or best practices to handle this!

Answer 1

Hi Akshayaa Kalyanavenkatesh,

Thank you for reaching out to Microsoft Q & A forum. 

Since Forms Authentication in cookieless mode (UseUri) stores the authentication ticket in the URL, users can still access the sub-application if they reuse an old URL. To properly enforce logout across both applications, consider the following solutions: 

1.Sign Out and Redirect:  Ensure FormsAuthentication.SignOut() is followed by a redirect to prevent ticket reuse: 

FormsAuthentication.SignOut();
Response.Redirect("~/Login.aspx");

2.Expire the Authentication Ticket:  Manually invalidate the ticket to ensure it cannot be reused: 

FormsAuthenticationTicket expiredTicket = new FormsAuthenticationTicket(1, "", DateTime.Now, DateTime.Now.AddSeconds(-1), false, "");
string encryptedTicket = FormsAuthentication.Encrypt(expiredTicket);
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket));

3.Centralized Logout from the Main Application: 

The Python app should call https://subapp.example.com/logout.aspx when logging out. 

The sub-application should: 

Call FormsAuthentication.SignOut(). 

Redirect to the login page. 

Clear session data (Session.Abandon()). 

4.Validate Sessions Server-Side: 

Store session states in a database or Redis. 

Before granting access, check if the session is still valid. 

5.Prevent URL-Based Authentication Ticket Reuse: 

Use short-lived authentication tickets. 

Implement URL rewriting to remove the authentication ticket after login. 

Please feel free to contact us if you have any additional questions.     

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.