Umbraco Membership Trap

Tuesday, Sep 2, 2008 2 minute read Tags: umbraco
Hey, thanks for the interest in this post, but just letting you know that it is over 3 years old, so the content in here may not be accurate.

So today I was working to fix a problem on a site of ours which was to do with logging out of a site which uses the Umbraco Membership as the authentication provider.
The bug was that when you had to click the logout button twice to log out. Clicking logout once would just refresh the page with nothing apparently happening.

Firing up the debugger I start have a look, making sure that the events are being fired when they should and so on... and they are. The logout method is called, the member is removed from the cache, the "show login" method is called, but if you check through the Umbraco API you're not logged out. Member.CurrentMemberId() still returned a value.

Hmm... so I'm doing everything that I need to do, so why is the member still logged in?
I pull our .NET Reflector and start having a poke around the API calls. For those who don't know, by default Umbraco stores the member login details in cookies, and that was running fine, but what I found interesting was that when I call the Member.ClearMemberFromClient method the cookies still existed!

That's not right... so I check out what's happening, when I notice the problem:


Do you see it? If not I'll point out the problem. The cookie is not removed from the HttpContext, it is mearly set to expire immidiately. Well, at least once the context has disposed.

So the only way we can get around this is to redirect after clearing the member from the client cache.