6

I have a OWIN Middleware for authentication. We have two type of authentication in place. First type is bearer token using the following configuration

var OAuthOptions =  new OAuthAuthorizationServerOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        AllowInsecureHttp = true,
        AccessTokenFormat = new SecureTokenFormatter(GetMachineKey())
    };

And second type use authentication cookie for external Login

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
    AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.SameAsRequest,
    CookieName = ".AspNet." + DefaultAuthenticationTypes.ExternalCookie,
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    TicketDataFormat = new SecureTokenFormatter(GetMachineKey())
});

When the User Logout, we actually issue two Logout

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);

And

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);

With the first one, I am expecting to see the .AspNet.ExternalCookie Cookie deleted from the Browser, which is not. With the second one, I am expecting to get my Token invalidated and The User.Current.Identity = null, which is not.

So how I can 1) Physically logout the current Identity for the current Session? 2) Remove the external Cookie from the Browser?

YtramX
  • 172
  • 10
Raffaeu
  • 6,694
  • 13
  • 68
  • 110
  • I solve the same issue by :Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie); FederatedAuthentication.SessionAuthenticationModule.SignOut(); – SeeSharp Aug 20 '16 at 07:46

1 Answers1

0

I had the same issue you had and after 3 days of searching I found the asnwer(sort of...).

Try ONE(and only one) of these code lines in your log out. (they all worked for me, but and I'm using the first one, but the more examples the better, right??)

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

The problem is well described in this article, but it does not provide a working fix(at least for me it didn't) http://coding.abel.nu/2014/11/catching-the-system-webowin-cookie-monster/

Stralos
  • 4,895
  • 4
  • 22
  • 40