This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 10%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hello,
We are facing an issue with cookieless Forms Authentication in an ASP.NET sub-application that is integrated with a main application built in Python.
The main application (Python) and sub-application (ASP.NET) work together.The ASP.NET sub-application uses Forms Authentication in cookieless mode (UseUri).When the main application logs out, it must also log out the sub-application by calling https://subapp.example.com/logout.aspx.The issue is that the sub-application is still accessible if the URL is available from developer tools after logging out from the main app.
Since the Forms Authentication is cookieless, I am unable to fetch the authentication cookie from the sub-application.
The only way to log out is by manually calling https://subapp.example.com/forms authentication cookie/logout.aspx, which works only if the sub-application explicitly uses FormsAuthentication.SignOut().However, since it’s cookieless, we cannot track the authentication ticket properly.
How can I fetch the authentication ticket (or simulate Forms Authentication logout) in a cookieless environment?
Is there a recommended way to enforce a complete logout across both applications?
Is there any way to programmatically invalidate the Forms Authentication ticket even if the URL remains accessible?
How to access the forms authentication token?
Looking for a way to invalidate the authentication ticket globally, but no success so far.
Would appreciate any suggestions or best practices to handle this!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 0%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXP%3C/text%3E%3C/svg%3E)
Hi @Akshayaa Kalyanavenkatesh,
FormsAuthenticationTicket stores in a cookie or in the URL. Can you get the URL (encrypted string) in you case? Maybe you can try to manually expire the session when you log out in sub-app.
In addition, for cookieless authentication, you can refer to this doc: Cookieless ASP.NET.