.Net Core cannot post to Logout page after cookie expiration

Question

When I create a new Asp.Net Core web application and

    services.ConfigureApplicationCookie(options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromSeconds(5);
    });

then I get logged out after 5 seconds. However, I still have the Logout button on my page at that time, if I click on the button, I get a 400 Bad Request back.

I have then tried removing the expiration code, logging out through the logout button and then using Postman to post to the logout post action but I get the same result.

    [AllowAnonymous]
    public class LogoutModel : PageModel
    {
        private readonly SignInManager<IdentityUser> _signInManager;
        private readonly ILogger<LogoutModel> _logger;

        public LogoutModel(SignInManager<IdentityUser> signInManager, ILogger<LogoutModel> logger)
        {
            _signInManager = signInManager;
            _logger = logger;
        }

        public void OnGet()
        {
        }

        //When I am logged out (whether by clicking on the logout button or after cookie expiration), 
        //and try to invoke this action, I get a 400 Bad Request back
        public async Task<IActionResult> OnPost(string returnUrl = null)
        {
            await _signInManager.SignOutAsync();
            _logger.LogInformation("User logged out.");
            if (returnUrl != null)
            {
                return LocalRedirect(returnUrl);
            }
            else
            {
                return Page();
            }
        }
    }

Does anyone know what is going on here?

EDIT: BTW, I am using .Net Core 2.2

Answer 1

All posts are protected by anti-forgery tokens out of the box. The anti-forgery token, when a user is logged in, is actually tied to that particular user. Since the user's authentication expires so quickly, pretty much by the time the page has loaded, the token is already invalid. It was created for a particular user, but that user is no longer authenticated. Therefore, the token validation will fail on the post request being made to logout, and you get a 400.

One quick fix would be to apply the [IgnoreAntiforgeryToken] attribute to your LogoutModel. That's technically removing a layer of security, but I can't see much that can be gained by a malicious bad actor forging a request to a logout endpoint.

However, this is mostly an artificial issue. You probably cranked down the auth cookie expiry to test what happens when it expires, but 5 seconds is not a realistic expiry. With that, a user would have to virtually reauthenticate with every request, which means they'd never really get past the login page. As soon as they logged in, they'd be expired, and have to log in again. With a more realistic number like 20 minutes, the likelihood that a user is going to sit on the same page for 20+ minutes, and then attempt to click "Logout" is rather low, making this mostly a non-issue.

Answer 2

On Layout page check for session expiration and call LogOff Action in Account Controller

Below script in Layout.cshtml section and add sessiontimeout in Appsettings.json

<script>
    //session end
    var sessionTimeoutWarning = @Configuration.GetSection("Cookie")["sessionTimeout"] - 1;

    var sTimeout = parseInt(sessionTimeoutWarning) * 60 * 1000;
    setTimeout('SessionEnd()', sTimeout);

    function SessionEnd() {
        window.location = "/Account/LogOff";
    }
    </script>

In the Account Controller add LogOff Action

 public ActionResult LogOff()
        {
            _signInManager.SignOutAsync();
            return RedirectToAction("Index", "Home");
        }