2

This method when called in a WebAPI controller from the client via an AJAX call returns a 200 code but the user gets re-authenticated upon a page refresh. What am I doing wrong?

    [HttpPost]
    [Route("logout")]
    public IHttpActionResult Logout() {
        AuthenticationManager.SignOut();
    }

This works in a standard MVC controller as an ActionResult and a full page view, but it does not work via AJAX.

tereško
  • 58,060
  • 25
  • 98
  • 150
Oliver Kane
  • 888
  • 1
  • 6
  • 23
  • I don't know for sure, but I'm guessing the JS that is making the AJAX call is using a copy of the cookie and needs to handle the response from the server and then update/destroy the original cookie on the client. – adam0101 Aug 06 '14 at 20:19
  • Can you add response status code and try? Response.StatusCode = 303; AuthenticationManager.SignOut(); – Deepu Madhusoodanan Aug 06 '14 at 20:51
  • As a side-note, I would recommend you involve an `AntiForgeryToken` to prevent [CSRF](http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks) issues. – Rowan Freeman Aug 07 '14 at 06:29
  • Rowan, I've seen the AntiForgeryToken often in examples. Is CSRF really an issue for logging out? Can an attacker use the logout method for something more sinister? – Oliver Kane Aug 07 '14 at 17:20
  • @adam0101, that's correct, but the cookies on the client don't seem to be going away. I've tried a few things, but will be trying the status code of 303 from Deepu next. I may just give up and make a traditional page navigation type of signout. – Oliver Kane Aug 07 '14 at 17:22

1 Answers1

3

It looks like you're using a custom AuthenticationManager class because the one built into the framework doesn't look like it has a SignOut method.

http://msdn.microsoft.com/en-us/library/system.net.authenticationmanager(v=vs.110).aspx

If that is the case, then does your AuthenticationManager class use the Session to store user info? Because WebAPI controllers do not have the same type of access to session that MVC controllers do. Reference for session in WebAPI:

Accessing Session Using ASP.NET Web API

Community
  • 1
  • 1
welegan
  • 3,013
  • 3
  • 15
  • 20
  • Curious! Let me review my source. At the very least, being able to use Session in the API would be pretty suave. I'm assuming the usual pitfalls of using Session apply. – Oliver Kane Aug 07 '14 at 17:14
  • So while I won't rule it out, I may have to do some digging to see what is implementing the IAuthenticationManager in my Controller. I'm grabbing it from the existing OwinContext. public IAuthenticationManager AuthenticationManager { get { return HttpContext.Current.GetOwinContext().Authentication; } } – Oliver Kane Aug 07 '14 at 17:23
  • Hmm, sounds like a lot of digging, depending on the framework you're using. Good luck! – welegan Aug 07 '14 at 18:50
  • Mostly Vanilla MVC. I'm actually quite perplexed where the concrete implementation of that property actually comes from :D I took a few pointers from https://durandalauth.azurewebsites.net so my guess is it's in part of his stuff. Not showing up when I "search solution". – Oliver Kane Aug 07 '14 at 19:01
  • So it turns out that this class you have is of different origin. That's System.Net.AuthenticationManager, which doesn't inherit or implement an interface. I'm using an IAuthenticationManager which is part of Microsoft.Owin.Security. There's an overload called – Oliver Kane Aug 07 '14 at 19:15