How does log off work in DNN 5.x?

We are seeing an issue where the Session isn't being abandoned in DNN. I'm not sure if this is was a 4.5.x issue as we upgraded a while ago to 5.x and maybe referencing an older control.

The login/logoff control we are referencing in our module is DotNetNuke.UI.Skins.Controls.Login located in path DNN_Web_Root/admin/开发者_如何学GoSkins/login.ascx

In there it looks like it does a redirect to logoff.aspx which then goes through the LogoffHttpHandler, which then goes somewhere to complete the logoff process however I cannot find where that process is to see if Session.Abandon is being called.

Can anyone answer the following:

• Is there an issue with DNN where Session.Abandon is not being called on Logoff?
• What is the process that actually handles the LogOff process?

Logoff is normally handled by Desktopmodules\Admin\Authentication\Logoff.ascx. The main action is to clear the authentication cookie, along with a few other cookies and some user specific cached data.

DotNetNuke NEVER uses Session for anything and does not clear Session during a log off.

it looks like Dan Rowe had some luck with the following code:

Response.Redirect(Globals.NavigateURL(TTSRoutines.giPunchinPage, "Logoff"), True)

Reference

I assume the threat you're worrying about is the shared computer environment scenario where someone logs off but does not close their browser, and the next user sits down and is able to access something they shouldn't because of a session variable still hanging around for 20 mins or so?

If you must use session, one work-around is to simply check

System.Web.HttpContext.Current.User.Identity.IsAuthenticated

in any place you are worried about a non-logged in user taking advantage of the previous logged in user's session variables.

That being said- calling Session.Abandon() in Logoff as @ScottS suggested may be the easiest way to go, though this option may not be available in a hosted environment.