10

I'm having little trouble in deleting cookies when user logoff.

I'm learning MVC Asp.Net and I've created default MVC5 application. I've registered and login with accounts, its all fine. but when I hit logoff it is working, it redirects me to the home page but it is not deleting the cookies.

I'm checking cookies with this extension of chrome "Edit This Cookie".

First I log in then copy the cookie using EditThisCookie extension then logs out and delete the cookies. Now when I paste the copied cookie in EditTshiCookie extension and refresh the page, it log me in with the same account. Cookies are not being deleted.

LogOff method

// POST: /Account/LogOff
    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult LogOff()
    {
        AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
        return RedirectToAction("Index", "Home");
    }

I've tried this from this question

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
Community
  • 1
  • 1
Huda Noor
  • 103
  • 1
  • 8

3 Answers3

2

Your way of understanding owin cookie based authentication is wrong :)

  1. Loging in to app creates authcookie which contains information about authentication and claims(privileges) of user. Nothing is written in server session or any other way persisted.
  2. In every request after logon cookie is decoded and verified if user is still authenticated. If true it decodes claims so they can be used later by AuthorizeAttribute
  3. Logging off removes that cookie from browser, but if in any way you have persisted that cookie and put it again in another request owin will think it is still authenticated and valid user.

Session.Abandon won't help because DefaultAuthenticationTypes.ApplicationCookie is not session based.

If this is not desired behaviour. you can possibly add some flag(IsAuthorized) to session and check in .Global.asax Application_PreRequestHandlerExecute then redirect to login form. This way you will have information on server and client side. But remeber that if server session state fails (ex. restart of IIS) all actually logged in users will be logged off.

Some more information about cookie based authentication link

Community
  • 1
  • 1
RedgoodBreaker
  • 310
  • 1
  • 10
0

Replying very late, anyway, trying to reduce load of stack-overflow unanswered.

To identify each request, server assigns a unique session id to each user of the web application. Server identifies the user by session id. User's server side Sessions are assigned on session id. Think it as of model below.

Session ID
 |---------------- Session 1
 |---------------- Session 2

(When you abandon cookie session, all the related .NET sessions are removed from server)

So when you delete session cookie from browser, server does not identifies the request and treat it as new request and it's seems like user has been logged out.

But as session has not been abandoned/removed by server, if you try to use the copied session's value again in browser, server will identify the request's session id and user will be logged-in again.

You can try this with different browser and machine as-well.

G J
  • 477
  • 9
  • 23
-1

This one worked for me.. 

public ActionResult LogOff()
{
    AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
    return RedirectToAction("Login", "Account");
    Response.Cookies.Clear();
    FormsAuthentication.SignOut();
    HttpCookie c = new HttpCookie("Login");
    c.Expires = DateTime.Now.AddDays(-1);
    Response.Cookies.Add(c);
    Session.Clear();
}

and the javascript like

function userLogOff() {
    location.replace("/Account/LogOff");
}
foldinglettuce
  • 522
  • 10
  • 28
Michael Rugi
  • 9
  • 1
  • 1