Request
The customer requires custom cookies to be cleared by DNN in addition to the standard ones, in order to have a fully successful logout.
Solution
Approach #1
Append the "UserToken" string to your cookies since any cookies matching that format will be removed once the user logs out. You can review the code here:
https://github.com/dnnsoftware/Dnn.Platform/blob/6387dd1a7e55cdd994d567cdb76733fbd63819dc/DNN%20Platform/Library/Security/PortalSecurity.cs#L775
The problem with this approach is that it will only be triggered if the user manually logs out; otherwise, the cookies will not disappear until they expire even if the .DOTNETNUKE cookie has expired long ago. Furthermore, it might not be possible to rename these cookies if there are served from another provider.
Approach #2
This is the recommended approach for the time being even though it will add overhead to all your pages is to add client-side code (JS) to expire the cookies as soon as the forms authentication cookie (.DOTNETNUKE) expires/disappears from the session. This will require adding a script to your skin or site header that will check every minute or so and if the auth cookie is not there anymore it will clear the rest of the cookies. However, I would recommend reviewing any other options you might be considering since this one might add some significant overhead due to having a sort of loop constantly looking for the cookie.
A cleaner way would be to check the cookies on page load; nevertheless, this might be a bit confusing for the user since the request will be completed as if the cookies still existed and it will not be obvious that the session expired until the next request.
Finally, you could also add the JS code to expire the cookies in the logout button; however, once again this will only work for manual log offs and not if the cookies expire.
Comments
0 comments
Please sign in to leave a comment.