OWIN SignOut doesn't remove cookie

Question

I am using the OWIN middleware in an external Authentication Server that my applications authenticate to using OAuth Authorisation Code Grant flow.

I can redirect to the Authentication Server, authenticate against an external provider (Google) and redirect back to my client application with a logged in user and Application Cookie set just fine, however when I try to sign out the cookie remains after I call the AuthenticationManager.SignOut method.

My cookie options in Startup.Auth.cs are:

var cookieOptions = new CookieAuthenticationOptions
                    {
                        Provider = cookieProvider,
                        AuthenticationType = "Application",
                        AuthenticationMode = AuthenticationMode.Passive,
                        LoginPath = new PathString("/Account/Index"),
                        LogoutPath = new PathString("/Account/Logout"),
                        SlidingExpiration = true,
                        ExpireTimeSpan = TimeSpan.FromMinutes(30),
                    };
app.UseCookieAuthentication(cookieOptions);
app.SetDefaultSignInAsAuthenticationType(DefaultAuthenticationTypes.ExternalCookie);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

My login method:

var loginInfo = await AuthManager.GetExternalLoginInfoAsync();
SignInManager.ExternalSignInAsync(loginInfo, true);
var identity = AuthManager.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie).Result.Identity;

if (identity != null)
{
    AuthManager.SignIn(
                  new AuthenticationProperties {IsPersistent = true},
                  new ClaimsIdentity(identity.Claims, "Application", identity.NameClaimType, identity.RoleClaimType));

        var ticket = AuthManager.AuthenticateAsync("Application").Result;
        var identity = ticket != null ? ticket.Identity : null;
        if (identity == null)
        {
            AuthManager.Challenge("Application");
            return new HttpUnauthorizedResult();
        }

        identity = new ClaimsIdentity(identity.Claims, "Bearer", identity.NameClaimType, identity.RoleClaimType);
        AuthManager.SignIn(identity);
}

return Redirect(Request.QueryString["ReturnUrl"]);

Sign Out method:

var authTypeNames = new List<string>();
authTypeNames.Add("Google");
authTypeNames.Add("Application");
authTypeNames.Add("Bearer");
authTypeNames.Add(DefaultAuthenticationTypes.ExternalCookie);

Request.GetOwinContext().Authentication.SignOut(authTypeNames.ToArray());

I have looked at other questions like: OWIN authentication, expire current token and remove cookie and OWIN - Authentication.SignOut() doesn't remove cookies

with no luck. I'm aware I could manually delete the cookie by setting a negative expiry date, but I'd prefer to use in built method if possible.

How do I get the Application Cookie to be removed when I Sign Out?

well.. not the first time this is pointed out http://stackoverflow.com/questions/22571696/mvc5-identity-owin-signout-events — ymz, Jan 20 '16 at 00:10
@ymz, that's a different question. I'm asking about signing out using an external Authentication Server called from another application. — Steve, Jan 20 '16 at 00:17
Aperently the only external provider that you can fully logout is MSAL (MS OpenIDC) provider by calling Authentication.SignOut() - this will invoke signout flow for OpenIDC. Other providers (Google, Facebook) this will not work, actually the only way is to redirects after signout to their portal and let user to logout from providers portal. — KeiserSoze, Jun 14 '23 at 15:10

score 3 · Answer 1 · answered May 12 '17 at 16:14

In order for the SignOut method to flag the authentication ticket (cookie) for removal from the client, the AuthenticationType parameter you pass into the SignOut method and value on the cookie must match exactly. If you want to remove more than one authentication ticket from the client then you'll have to match ALL of those AuthenticationTypes and pass those as a string[] to the SignOut method.

The AuthenticationType of an authentication ticket usually prefixed with the name of the host web container (i.e. something like ".AspNet.") followed by whatever you bootstrapped your OWIN CookieAuthentication settings with.

It looks like you set your AuthenticationType string value to "Application" in Startup.Auth.cs. Try simply calling:

Request.GetOwinContext().Authentication.SignOut("Application");

If that's not working for you, I would debug your application and take a look at the specific AuthenticationType on the identity for each type of authenticated user your application allows, note the value of the AuthenticationType for each one and try including them all in a string[] in your SignOut call.

score 2 · Answer 2 · edited Jun 07 '17 at 14:48

2

 AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
 FormsAuthentication.SignOut();
 Session.Abandon();

edited Jun 07 '17 at 14:48

Robin Daugherty

7,115
4
45
59

answered Jun 07 '17 at 09:09

Prince Prasad

1,528
1
16
20

1

This may be an improvement over the other answers that already exist, but you didn't explain it. While this code block may answer the question, it would be best if you could provide a little explanation for why it does so. – Robin Daugherty Jun 07 '17 at 14:47

score 1 · Answer 3 · edited May 23 '17 at 12:17

From an other StackOverFlow answer which worked for me: OWIN - Authentication.SignOut() doesn't seem to remove the cookie

Use only one of these:

Request.GetOwinContext().Authentication.SignOut();
Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

https://dzone.com/articles/catching-systemwebowin-cookie

I would assume the second one would work for you, but it looks like that's what you're doing. Can you test that on its own? Comment out your array and confirm that that works or doesn't.

To be honest, I don't know enough about OWIN to know about the Passive Authentication mode, however.

score 0 · Answer 4 · answered Jan 06 '21 at 17:31

I worked on this for days. Here is what finally worked for me. First thing I do is clear the token cache. Next, I create an array of Auth Application Types. I added these 4. You can add more, if you are using them. To my knowledge, I'm only using Cookies and OpenIdConnect, but I added Bearer and Application to be safe. The final step is to clear all remaining Cookies, if any, and any remaining Sessions, if any. Again, I worked on this for days. It was so frustrating. I'm currently using 4.0.1 of these packages.

Install-Package Microsoft.Owin.Security.OpenIdConnect
Install-Package Microsoft.Owin.Security.Cookies
Install-Package Microsoft.Owin.Host.SystemWeb

public ActionResult SignOut()
        {
            
            if (Request.IsAuthenticated)
            {
                string userId = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;

                if (!string.IsNullOrEmpty(userId))
                {
                    // Get the user's token cache and clear it
                    SessionTokenCache tokenCache = new SessionTokenCache(userId, HttpContext);

                    string sessionID = HttpContext.Session.SessionID;

                    tokenCache.Clear(sessionID);
                }
            }

            var authTypeNames = new List<string>();
            authTypeNames.Add("Cookies");
            authTypeNames.Add("Application");
            authTypeNames.Add("Bearer");
            authTypeNames.Add("OpenIdConnect");

            // Send a sign-out request. 
            HttpContext.GetOwinContext().Authentication.SignOut(authTypeNames.ToArray());

            Request.Cookies.Clear();
            Session.RemoveAll();

            return RedirectToAction("Index", "Home");

        }

score -3 · Answer 5 · answered Jan 18 '16 at 12:34

-3

If you have any master page then please add the below tag. May be this would be helpful.

<meta http-equiv="Cache-control" content="no-cache" />

answered Jan 18 '16 at 12:34

Chetan Chauhan

84
7

I don't see how this could work since I want to cache, and this doesn't work in Firefox or Chrome or even IE over HTTPS - http://securityevaluators.com/knowledge/case_studies/caching/ – Steve Jan 18 '16 at 23:16

OWIN SignOut doesn't remove cookie

5 Answers5

Linked