Menu
I'm having some issues with OWIN Cookie authentication. I have a .Net site that has some MVC pages which uses cookie authentication and WebAPI resources protected by a bearer token.
When I log out, I delete the access token on the client, so subsequent API requests will not have the token in the header and will thus fail the authentication. This part is fine.
In the same manner, I would also like the log out to delete the cookie used by the MVC pages. I did the following on the server:
[Route("Logout")] public IHttpActionResult Logout() { var ctx = Request.GetOwinContext(); var authenticationManager = ctx.Authentication; authenticationManager.SignOut(); return Ok(); } However, after the calling Logout, I can still visit the protected MVC page even though the cookie would have supposedly been deleted by the Logout call.
It seems so simple, so I might have missed something.
Thanks,
998
Logging a user out is quite simple — there’s an API on the OWIN authentication manager called SignOut, which removes the cookie: I hope this helps to understand the new OWIN cookie authentication middleware in .NET 4.5.1 and Visual Studio 2013.
After all these years of development with Forms, Cookies, etc., and now OWIN, can't understand why the SignOut methods never work and the only thing that works is to expire the cookies by ourselves... What worked for me was the bellow code. Please notice that AuthenticationManager.SignOut that is in the samples of Microsoft is there doing nothing.
One improvement the OWIN cookie authentication middleware has over the previous Forms authentication is that it is claims-aware. Another function of Forms authentication was that when the application issued a 401 unauthorized HTTP status code, Forms authentication would convert the response into a 302 redirect to the application’s login page.
This part is fine. In the same manner, I would also like the log out to delete the cookie used by the MVC pages. I did the following on the server: However, after the calling Logout, I can still visit the protected MVC page even though the cookie would have supposedly been deleted by the Logout call.
I had a similar problem for the past few days. Instead of
Request.GetOwinContext().Authentication.authenticationManager.SignOut(); Use ONE(and only one) of these:
Request.GetOwinContext().Authentication.SignOut(); Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); This article explains why your cookies don't get deleted: https://dzone.com/articles/catching-systemwebowin-cookie
I know my answer isn't the most research-based, but to tell you the truth, I just couldn't find WHY my provided code examples work for me. I just know that System.Web messes up Owins cookies if you do SignOut() another way.
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
