Force expiration of authentication token

Question

I've spent a week now securing my Web API, creating custom filters and uses of authentication tokens. My problem now was when I'm requesting in my Web API using POSTMAN and the user was already sign out I can still get values from my API.

How can i manage to force expire my access token? Or is there other way to manage this kind of situation?

NOTE: When I'm requesting using POSTMAN, I copied my access token from the local storage.

Update:

This is what i followed in creating access token. http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api

I tried the same situation as mine to the downloaded solution, still my access token is authenticated

Can you explain what logic are you using to store the authentication token? — DeepakJ, Feb 26 '15 at 08:45
This is what i used. http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api — dan, Feb 26 '15 at 08:47
When requesting using POSTMAN i just add the authentication header and my request still authenticated. — dan, Feb 26 '15 at 08:49
Dan, got an solution to this already? The answers didn't really help me. — CularBytes, Jul 20 '15 at 10:31
@RageCompex my implementation to this was to use refresh token and give access token a short lifespan (maybe 5mins and a day or more for refresh token) see http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ for implementation of refresh token — dan, Jul 21 '15 at 04:02
Thanks, glad I already followed part 1 for the api and it is already halfway implemented :) — CularBytes, Jul 21 '15 at 14:47

score 0 · Answer 1 · edited May 23 '17 at 11:45

0

You need to remove the cookies and the session if sign out is not doing that.

FormsAuthentication.SignOut();
Session.Abandon();

// clear authentication cookie
HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
cookie1.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie1);

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);

FormsAuthentication.RedirectToLoginPage();

Refrence Taken from here

edited May 23 '17 at 11:45

Community

1
1

answered Feb 26 '15 at 08:47

Vinay Pratap Singh Bhadauria

9,829
3
28
49

i have my cache and session clearing at my custom actionfilterattribute, and removing local session at my JS – dan Feb 26 '15 at 08:54
When using an access token, chances are that it has nothing to do with cookies. – Steen Tøttrup Feb 26 '15 at 08:59

score 0 · Answer 2 · edited Mar 21 '18 at 22:32

As per http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api

In this article all the details regarding authorization token is stored on session along with cookies. So you have two ways to sort out this.

Clear all the session and cookies on the logout.
You can also make a custom autorization filter and generate custom access token and store them to local file or database with the timeout limit. On logout you can clear tokens as per the user.

here is an example, how to set custom filters in web api 2.

 public class CustomAuthenticateAttribute : Attribute, IAuthenticationFilter
    {

        public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
        {
            HttpRequestMessage request = context.Request;
            AuthenticationHeaderValue authorization = request.Headers.Authorization;

            if (authorization == null)
                return;

            if (authorization.Scheme != "Bearer")
                return;

            if (String.IsNullOrEmpty(authorization.Parameter))
            {
                context.ErrorResult = new AuthenticationFailureResult("Missing token", request);
                return;
            }

            TokenL1 tokenL1;
            var validateToken = TokenHelper.DecryptToken(authorization.Parameter, out tokenL1);
            if (!validateToken)
            {
                context.ErrorResult = new AuthenticationFailureResult("Token invalid", request);
                return;
            }
            if (!(tokenL1.tokenexpiry > DateTime.Now))
            {
                context.ErrorResult = new AuthenticationFailureResult("Token expire", request);
                return;
            }
            IPrincipal principal = new GenericPrincipal(new GenericIdentity(tokenL1.email), new string[] { "user" });

            if (principal == null)
            {
                context.ErrorResult = new AuthenticationFailureResult("Invalid token", request);
                return;
            }
            else
            {
                context.Principal = principal;
            }
        }

        public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
        {
            var challenge = new AuthenticationHeaderValue("Bearer");
            context.Result = new AddChallengeOnUnauthorizedResult(challenge, context.Result);
            return Task.FromResult(0);
        }
        public bool AllowMultiple
        {
            get { return false; }
        }
    }

use this custom filer on the actionresult of a controller like this

[CustomAuthenticate]
public ActionResult Index()
{
return View();
}

Force expiration of authentication token

2 Answers2

Refrence Taken from here