ASP.NET Membership Log Out

My boss likes to say “never use the words ‘simple’ or ‘easy’ in our line of work” and today was one of those days that demonstrates exactly why he loves this saying.

We were asked to setup an auto logout feature that redirects to the login screen. I’ve done so much Windows Authentication work that I’ve never actually had to build this functionality. I went straight to my favorite search engine and I found the following code.

FormsAuthentication.SignOut();
Session.Abandon();
FormsAuthentication.RedirectToLoginPage();

Everyone was commenting about how this worked great and lo and behold it wasn’t working. More research and I found an article that explained that the above neglected to clear cookies sometimes and that to 100% ensure a sign out you should clear the forms authentication and session cookies.

The following code is what I ended up using in our application. It only expires the cookies that are forms authentication and session related.

FormsAuthentication.SignOut();
Session.Abandon();

var cookies = new List<string>
{
    "ASP.NET_SessionId", 
    FormsAuthentication.FormsCookieName, 
    ".ASPXROLES"
};

foreach (var cookie in cookies)
{
    if (Request.Cookies.AllKeys.Contains(cookie))
    {
        Request.Cookies[cookie].Expires = DateTime.Now.AddYears(-1);
    }
}

FormsAuthentication.RedirectToLoginPage();

Wireless Security Tip: Don’t Connect Automatically

I have a quick tip that will exponentially increase your laptop, tablet, or even phone security. When you’re setting up your wireless connections, there are 2 options that you should never turn on: 1) “connect automatically when this network is in range” or “start this connection automatically” and 2) “connect even if the network is not broadcasting”.

You can blame hidden wireless networks for this gaping security hole. The How-To Geek has a really good article explaining why you shouldn’t use hidden wireless networks.

Why should I turn off these convenience features?

When you use the auto connect features of WiFi, your device will seek out the wireless connection. In the process of seeking out the connection, it also broadcasts the connection information. Devices such as WiFi Pineapples can be built to scan for the broadcasts coming from your devices. Once it has found a device, it automatically configures a matching connection and allows you to connect. Once you’re connected, your internet traffic can be monitored.

The following comes directly from the product information of Hak5’s WiFi Pineapple:

You see most laptops have network software that automatically connects to access points they remember. This convenient feature is what gets you online without effort when you turn on your computer at home, the office, coffee shops or airports you frequent.

Simply put, when your computer turns on the wireless radio send out out beacons. These beacons say “Is such-and-such wireless network around?” Jasager, German for “The Yes Man”, replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”

Of course all of the Internet traffic flowing through the pineapple such as e-mail, instant messages and browser sessions are easily viewed or even modified by the pineapple holder.

Secure Computing: Up-To-Date Anti-Virus

What is the number one reason why most people with virus prevention programs installed on their computer become infected? The answer is quite simple. The virus prevention software isn’t kept up-to-date.

Anti-virus software is only as good as its virus definition database and its detection software. Commercial anti-virus vendors only provide adequate updates to the virus definition and the detection software as long as the customer has paid for the updates. Today, most vendors provide 1 year of updates with the purchase of their products and many consumers choose not to renew update subscriptions after the initial period. Unfortunately, by not extending subscriptions consumers leave their computers at risk of infection.

Fortunately, free anti-virus vendors have been getting better and better reviews giving consumers another solution. There are three free anti-virus solutions that I would recommend: AntiVir Personal, Avast Home Edition, and AVG Free. These all have comparable features, free updates, and you can checkout http://www.av-comparatives.org/ for comparisons of their effectiveness against malicious code.