Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OWIN - Delete cookies when logoff MVC

Tags:

c#

asp.net

asp.net-mvc

cookies

asp.net-mvc-4

I'm having little trouble in deleting cookies when user logoff.

I'm learning MVC Asp.Net and I've created default MVC5 application. I've registered and login with accounts, its all fine. but when I hit logoff it is working, it redirects me to the home page but it is not deleting the cookies.

I'm checking cookies with this extension of chrome "Edit This Cookie".

First I log in then copy the cookie using EditThisCookie extension then logs out and delete the cookies. Now when I paste the copied cookie in EditTshiCookie extension and refresh the page, it log me in with the same account. Cookies are not being deleted.

LogOff method

// POST: /Account/LogOff
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
        return RedirectToAction("Index", "Home");
    }

I've tried this from this question

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
like image 594
Huda Noor Avatar asked Feb 22 '16 09:02

Huda Noor

1 Answers

Your way of understanding owin cookie based authentication is wrong :)

  1. Loging in to app creates authcookie which contains information about authentication and claims(privileges) of user. Nothing is written in server session or any other way persisted.
  2. In every request after logon cookie is decoded and verified if user is still authenticated. If true it decodes claims so they can be used later by AuthorizeAttribute
  3. Logging off removes that cookie from browser, but if in any way you have persisted that cookie and put it again in another request owin will think it is still authenticated and valid user.

Session.Abandon won't help because DefaultAuthenticationTypes.ApplicationCookie is not session based.

If this is not desired behaviour. you can possibly add some flag(IsAuthorized) to session and check in .Global.asax Application_PreRequestHandlerExecute then redirect to login form. This way you will have information on server and client side. But remeber that if server session state fails (ex. restart of IIS) all actually logged in users will be logged off.

Some more information about cookie based authentication link

like image 124
RedgoodBreaker Avatar answered Oct 28 '22 06:10

RedgoodBreaker
Sign in to Comment

Related questions

Can I intercept Task.Factory.StartNew?
Windows Phone 8.1 App Crashes When Not Debugging Async Await
Calling multiple webservices with different certificate types in a multithreaded environment
Clean messages in Windows Message Pump
Dynamically add element to XML file
Overload resolution with CType'd Enum
Unmanaged DLL in ASP.NET MVC app causes App pool to stop on IIS server
How to detect the line of sight of a person using kinect?
Entity Framework 4 Loading Reference Exception
Can I have traditional ASP.NET Web Applications in Virtual Directories under MVC Site?
How not to display stack-trace in nUnit 2.6.4 xml results?
Dependency Injection with TypeConverters
Async RouteBase in ASP.NET with GetRouteDataAsync and GetVirtualPathAsync?
Show Multiple Crystal Reports in Loop
Entity Framework Multi-level Inheritance with TPH
WebAPI Token Issuance Authorization
Detect c# version at compile time
Is there a way to extend a built-in type to inherit an interface?
Consuming VB6 string array in C#
How do I follow .Net Native cryptic stack-trace?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!