Session is not expiring?

Probably my question is stupid but it is driving me crazy, you see I have this application its session is not 开发者_开发技巧expiring after logging out even though I have used Session.Abandon(), Session.Clear(), and Session.Removeall(). I have been searching all over the internet but no luck so far and I really wish I can get some help. Say I have user X if I do the following any one can login with X's account:

1- Login with X's username and password. 2- Take Session ".ASPXFORMSAUTH" info. 3- Logout from X's account 4- Add the Session ".ASPXFORMSAUTH" with its value using fire fox "add cookie function" for example. 5- type the URL and click enter the page just opens up and it is really driving me CRAZY!!

Thanks in advance

You also need to call FormsAuthentication.SignOut()

In this case, you have an additional flag in Session (like "ACtive") which can be set to false during logout. Based on this, you can rediect the user to login or any other general page you want to..

I am not sure if there is defined way to handle this, but I would do something like I said.

Scenario where the user is already logged out by using FormsAuthentication.Signout() and is trying to hack the system by using the same cookie (he somehow got access to it) to access a authenticated part of the website. In such a scenario recommendations from Microsoft also suggests to use a persistence mechanism to log / track the user signout and use the information to redirect him to login page (and clear cookie again) in subsequent fake requests.

Reference: Read bulleted point 3 in Remarks section