Closing session properly in owin MVC5

Question

In our web application, which is MVC5, with Owin, when we do sign out we have this code:

    public ActionResult LogOut()
    {
        using (MiniProfiler.Current.Step("AccountController.LogOut"))
        {
            Session.Clear();
            Session.Abandon();
            AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

            Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
            Response.Cache.SetCacheability(HttpCacheability.NoCache);
            Response.Cache.SetNoStore();  

            return RedirectToDefault();
        }
    }

Startaup.Auth looks like this:

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieName = ".<cookiename>",
            LoginPath = new PathString("/Account/LogOn")
        });

We verified, that after signing out, cookies on the client (in browser) are removed. But then we got security evaluation by 3rd party that said:

"When a user logs out of a web application, their session should be invalidated on the server-side and client-side. In the Workforce application, the server does not terminate the user's cookies on the server-side when the user logs out. After logging out, users can still utilize the old cookie values to reach internal pages and information. In a shared computer environment, this could allow an unauthorized user to access internal application pages and data using the previous user's session. Recommendation: When users log out of the application, the server should terminate the user's session on the client-side and server-side. HTTP cookies should be removed for the user's browser and the session and associated session variables on the server should be removed. For more information, see the session management section of the OWASP Authentication Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet"

Basically the problem is that if authorization cookies are copied why user was logged in, and then manually applied after signing out, the site accepts login. When I tried this trick against my bank, it didn't work. So, there is some merits behind this report.

Any idea how we can address it?

Answer 1

After some investigation with out team, we came to the following conclusion how it works.

The cookies in question are not session related cookies. They are cookies that have encrypted claims. So, what we actually observed was session being correctly closed on the server. However, if those "authentication" cookies are attached to new request, and authentication is not yet expired, web server just creates new session.

The very helpful link, that pointed us to the answer is this: http://forums.asp.net/t/1988295.aspx?Session+Authentication+not+removed+server+side+after+logout