2

Created a mvc5 app with Identity2,using google login (pretty much the empty app, with google stuff turned on)

How do I set it up to use session cookies, so they expire when the browser closes. The app will be used by students who may hot swap seats, so i need the login to expire when the browser closes.

I read an SO article that implies this is the default, but when i close the browser, and go back to the site, it remembers the google login.

Edit

Sorry to burst everyone bubble, but this isn't a duplicate.

It reproduced in Chrome after the settings in the supposed "answer" are changed, and it also reproduces in IE... This is an Asp.net Identity 2 +Google login issue, not a Chrome issue.

Edit

Adding Startup Auth file for Setup Help

using System;
using System.Configuration;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Google;
using Owin;
using StudentPortalGSuite.Models;

namespace StudentPortalGSuite
{
    public partial class Startup
    {
        // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
        public void ConfigureAuth(IAppBuilder app)
        {
            // Configure the db context, user manager and signin manager to use a single instance per request
            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
            app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            // Configure the sign in cookie
            app.UseCookieAuthentication(
            new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                               Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an external login to your account.  
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes( 30 ),
                        regenerateIdentity: ( manager, user ) => user.GenerateUserIdentityAsync( manager )
                        )
                }, 
            });            
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
            app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

            // per https://learn.microsoft.com/en-us/aspnet/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on - EWB
            //dev-jcsn email
            app.UseGoogleAuthentication( new GoogleOAuth2AuthenticationOptions()
            {
                ClientId     = "...",
                ClientSecret = "..."


            } );
            //});
        }
    }
}

EDIT The use case I'm trying to fix is, since our app is used in a classroom, that student A Closes his/her browser instead of logging out, and then next user tries to login. As it stands they are autologged into user A's account.

I'd also be up for a way to 100% log out the user when redirected to the login page, but all the ways I've tried that aren't working.

Eric Brown - Cal
  • 14,135
  • 12
  • 58
  • 97
  • I tested MVC5 with Identity 2 and Google. It does log out by default when the browser closes. Something must be misconfigured somewhere but there's not enough detail here to figure it out. – Matthew Nov 29 '17 at 16:13
  • I'm guessing it's a config error, but everything I've read says it's on by default. – Eric Brown - Cal Nov 29 '17 at 16:37
  • Probably because the Google account session is still valid. They would need to sign out of Google. Any chance you could just create separate network logins for the students? – Mister Epic Nov 30 '17 at 19:37
  • The requirement I'm given is to login to our app, and then SSO to Google Apps... So Google login is a requirement, and the users are disadvantaged kids being trained on computers, we can't just "teach them to logout" We have to do it for them when they close the browser (or hit login page).. Anyway to close the Google Account Sessions? – Eric Brown - Cal Nov 30 '17 at 19:55
  • So, is the problem that it doesn't log out of the AspNet app, or that it doesn't log out of their google account? The AspNet auth cookie shouldn't be valid if they close the browser and reopen. I'm not sure if google stays logged in though. – Matthew Dec 01 '17 at 13:23
  • Worse, my best guess is that the ASP.Net half signs out, and the Google half doesnt' (either Owin, or Google Session), then sometimes it just logs back in, and sometimes it gets in a broken half logged out state where it tries to login and fails, redirecting to the login page. – Eric Brown - Cal Dec 01 '17 at 16:53
  • In case I wasn't clear being able to log back in, means a successful logout(token timeout?)... the broken state is more common. – Eric Brown - Cal Dec 04 '17 at 15:16
  • Can you configure the machines to clear the browser's cookies when it closes? – alex Dec 05 '17 at 21:20
  • I deleted all the cookies in EditThisCookie and the login on the google side is still there. – Eric Brown - Cal Dec 06 '17 at 20:28

2 Answers2

1

Maybe you can catch the window close event on page and call logout method

$(window).on("beforeunload", function() { 
    //ajax call to a post controller that logs the user out

})
katesky8
  • 572
  • 6
  • 9
  • that would work better if I could find a method that reliable logs out... I'm calling every method I can find in my page ready on the login page, but it's not working to log out 'abandoned sessions'. – Eric Brown - Cal Dec 06 '17 at 21:21
  • 1
    Do you have this method Action? [HttpPost] [ValidateAntiForgeryToken] public async Task LogOff() { var user = await UserManager.FindByNameAsync(User.Identity.Name); AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); await UserManager.UpdateSecurityStampAsync(user.Id); return RedirectToAction("Login", "Account"); } – katesky8 Dec 06 '17 at 23:07
  • Except for making it not asynch yes – Eric Brown - Cal Dec 07 '17 at 16:23
  • 1
    then you can fo this, or it's not working for you? $(window).on("beforeunload", function() { $.post("/logoff", function(data, status){ alert("Data: " + data + "\nStatus: " + status); }); }) – katesky8 Dec 08 '17 at 16:39
0

Calling this at the top of the LogIn controller Method solved the issue.

  Request.GetOwinContext().Authentication.SignOut( DefaultAuthenticationTypes.ApplicationCookie );// https://stackoverflow.com/questions/28999318/owin-authentication-signout-doesnt-seem-to-remove-the-cookie - stralos s answer
  Request.GetOwinContext().Authentication.SignOut( DefaultAuthenticationTypes.ExternalCookie );
Eric Brown - Cal
  • 14,135
  • 12
  • 58
  • 97