Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does AuthenticationManager.SignOut() Fail when I Change the Response?

Tags:

asp.net-mvc

asp.net-mvc-5

owin

katana

I just started fiddling around with OWIN/Katana and MVC.NET 5.0. The default Visual Studio 2013 ASP.NET Web Application/MVC Template has an AccountController with a LogOut() action:

public ActionResult LogOff() {
    AuthenticationManager.SignOut();
    return RedirectToAction("Index", "Home");
}

As expected, this works just fine. However, when I change the response status code, e.g. by:

    Response.SetStatus(HttpStatusCode.SeeOther);

... The AuthenticationManager.SignOut() method no longer causes the user to become logged off. Why is that?

I tried different approaches for setting the http status code for the response, as well as changing http headers like Location, and always with the same result - the user is not logged off when the LogOff() action is executed, if I get into tempering with the response.

I tried not using RedirectToAction (which explicitly implements a 302 redirect - that's another story), and not returning an ActionResult, but that made no difference - not that I'd really expect it to.

Using Fiddler I can tell that the response as it appears to the browser looks fine, not holding any surprises.

I also tried looking through the source code of the OWIN middleware at work, but the architecture is still unfamiliar to me, and I found no answers that I could grasp in there. I need your help in sorting this out, so thank you in advance!

like image 580
Oskar Lindberg Avatar asked Dec 13 '13 10:12

Oskar Lindberg

2 Answers

The reason AuthenticationManager.SignOut() fails is that Response.SetStatus(HttpStatusCode.SeeOther) internally ends the response:

public static void SetStatus(this HttpResponseBase response, int httpStatusCode)
{
  response.StatusCode = httpStatusCode;
  response.End();
}

(See System.Web.WebPages.ResponseExtensions)

After this, naturally the ResponseManager cannot manipulate the response to remove cookies etc.

like image 187
Oskar Lindberg Avatar answered Oct 23 '22 03:10

Oskar Lindberg

This works fine for me with the following LogOut method, are you doing something slightly differently?

    //
    // POST: /Account/LogOff
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        Response.StatusCode = 303;
        AuthenticationManager.SignOut();
        return RedirectToAction("Index", "Home");
    }
like image 31
Hao Kung Avatar answered Oct 23 '22 02:10

Hao Kung
Sign in to Comment

Related questions

What is the difference between BindProperty and SetProperty on IModelBinder
URL Rewriting in .Net MVC
How to create a setup file to install MVC .net web application?
Entity Framework 4 Not Saving My Many-To-Many Rows
How To Properly Configure Ninject.Extensions.Logging.Log4Net in my MVC3 project
ASP.NET MVC, EntityFramework, DBContext, Repository in a different Project [closed]
How to suppress compiler warning to add "await" inside razor view?
Joining tables from two databases using entity framework
VS2015 add reference for Class Library
Correct use of Microsoft.AspNet.Identity 2.0
Installing from Nuget adds reference to bin directory
EF Core: Scaffold DbContext keeps failing
How to use ASP.NET MVC Html Helpers from a custom helper?
How does Url.Action work Asp.net MVC?
ASP.NET MVC 2 Localization/Globalization stored in the database?
Real examples of ASP.NET MVC code refactored for Dependency Injection using Ninject
create a textarea helper that takes content of the view as a parameter
Tool to list MVC routes - Visual Studio Express [closed]
Difference between Private methods and Actions decorated with NonAction in Asp.Net MVC
Custom page access security with MVC 4

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!