FormsAuthentication.SignOut()
Forms验证中,如果给cookie加了过期时间,用FormsAuthentication.SignOut()注销后仍可访问需验证的页面,
这是什么原因?
登录验证:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, n, DateTime.Now, DateTime.Now.AddDays(1),this.CheckBox1.Checked, n + "&&" + p);
string encryTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryTicket);
cookie.Path = FormsAuthentication.FormsCookiePath;
if (this.CheckBox1.Checked)
{
cookie.Expires = DateTime.Now.AddHours(1); //加过期时间
}
Response.Cookies.Add(cookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(n, this.CheckBox1.Checked));
注销:
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
虽然会导向登录页,但手工访问受保护的页面,还是可以查看,是不是因为SignOut()无法清除有过期时间的身份验证?