Menu
How do I invalidate a session?
Repro:
Is there anyway to make the cookies previously copied invalid?
I'm using the standard MVC5 logoff function.
public ActionResult LogOff()
{
AuthenticationManager.SignOut();
return RedirectToAction("Index", "Home");
}
private IAuthenticationManager AuthenticationManager
{
get
{
return HttpContext.GetOwinContext().Authentication;
}
}
Also tried signing out just the cookie.
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
Thought changing the SecurityStamp would also work but since the claim hasn't changed, the stamp doesn't either.
UserManager.UpdateSecurityStampAsync(user.UserName);
I've also tried this function which the documentation says should invalidate the session. http://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.abandon(v=vs.110).aspx
Session.Abandon();
331
I didn't know of the cookie issue you described, but I needed to need to let users Invalidate sessions, from a desktop app. So the users on the desktop can kick someone off the web app. I did this by creating a GUID when they log in and storing the GUID in my database and a cookie. Then I override AuthorizeAttribute.AuthorizeCore to check the GUID on my database is still valid. My table with the GUID has a column IsValid, and I change IsValid to false when they log out, or someone from the desktop kicks them off.
If you had a similar sessions table with a KeyId and IsValid columns, and override AuthorizeAttribute.AuthorizeCore. You could check the IsValid column in your database vs relying on cookies.
I hope that gives you an idea.
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
