By doing a security review I noticed that authentication (.ASXP) and Session (ASP.NET_SessionID) were removed from the client using a standard set-cookie header. But, if those headers are suppressed, the session and authentication still work, this is, neither the authentication state or session were removed on the server side.
This means there is no effective way to close a session as maybe the user's browser will "forget" the cookie, but anyone able to sniff the content can still have an active session on the system. I see it kind of a "reverse session fixation" or "dangerous persistent sessions".
So I tried to find a way to remove the session on the server and none of the following (or a combination of them) works (Although content is cleared, the session itself remains active):
Request.Cookies.Remove ("ASP.NET_SessionID")
Request.Cookies["ASP.NET_SessionID"]=null;
Request.Cookies["ASP.NET_SessionID"].Expires = DateTimeNow.AddDays(-1);
Session.Abandon();
Regenerating the session using SessionIdManager
How can then session and authentication state be "deleted" from the server, so if a browser resends the same id in a cookie, this is not recognized and thus considered invalid?.