What does the CookieAuthenticationOptions.LogoutPath property do in ASP.NET Core 2.1?

Question

In ASP.NET Core 2.1, can anyone explain what the CookieAuthenticationOptions.LogoutPath does? Per the documentation it says:

If the LogoutPath is provided the handler then a request to that path will redirect based on the ReturnUrlParameter.

But I don't even think that sentence has proper grammar, so I'm confused by the meaning.

In Startup.cs, I have it set like this:

// Added after AddMvc()
services.ConfigureApplicationCookie(options =>
{
    options.LogoutPath = $"/account/logout";
});

1. When will this be called?

2. Do I need to create a corresponding GET action in my AccountController and View for this? Or will a POST action work? For example:

   [HttpPost]
   [ValidateAntiForgeryToken]
   public async Task<IActionResult> Logout()
   {
       await _signInManager.SignOutAsync();
       return RedirectToAction("Index", "Home");
   }
   

3. Does my Logout action need to sign the user out or will they have already been signed out by that point?

Answer 1

The LogoutPath that you can configure with the cookie authentication scheme is an odd one. While the LoginPath has a direct effect and is basically the URL that the end user is being redirected to when the cookie authentication is challenged, the LogoutPath is not used directly.

Instead, the configured LogoutPath is just being used to validate the current URL when a sign-out happens with the cookie authentication scheme. The check looks like this:

// Only redirect on the logout path
var shouldRedirect = Options.LogoutPath.HasValue && OriginalPath == Options.LogoutPath;
await ApplyHeaders(shouldRedirect, context.Properties);

So this basically checks whether the OriginalPath which is the current request’s path is equal to the configured logout path. If that’s the case, then the ApplyHeaders call will perform a redirect to the RedirectUri of the authentication properties.

The purpose of this is to make sure that a redirect back to a path can only happen when the real logout URL is being accessed. So for example, if the user clicks the logout button, they might get logged out and then redirected back to where they come from. But if they are logged out elsewhere, then they are not redirected back automatically since only the logout URL is considered a safe place to redirect the user back.

The same logic exists for the LoginPath too btw. but there is the additional logic that the cookie authentication scheme will also redirect to that URL when the scheme is challenged (e.g. when authentication is required through an authorize filter).

Do I need to create a corresponding GET action in my AccountController and View for this? Or will a POST action work?

That’s up to you and how you want to handle the logout. For the above logic to run, you just need any action on that route, so you can also do a POST to require users to perform a form submission in order to sign them out (to prevent accidental sign out through GET requests).

Does my Logout action need to sign the user out or will they have already been signed out by that point?

You will have to call the SignOutAsync yourself since there is no implicit handling for these routes. Just like you also need to implement your own login logic on the LoginPath, you also need to implement the logout logic.

The configured paths are really just for the cookie scheme to know where those routes are, but they do not have any impact on their behavior.