Signing out of Identity Server

Question

I am in a Asp.net MVC .net 4.5 Web project connecting to an Identity Server 4 server for logging in and out. Logging in is just fine. When I try to log out the Request.IsAuthenticated is still true. I can refresh and it acts like I am still logged in until I close the browser. When I open it up it then goes to the Identity Server login page. Any Idea why?

Sign out code:

Request.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType);
Session.Clear();
Session.Abandon();

Response Headers:

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Kestrel
Set-Cookie: idsrv.session=.; expires=Sun, 17 Sep 2017 20:50:52 GMT; Path=/; Secure
Set-Cookie: idsrv=; expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Secure
X-Powered-By: ASP.NET
Date: Mon, 17 Sep 2018 20:50:52 GMT
Strict-Transport-Security: max-age=157680000
Content-Length: 601

Request Header:

GET /XWAdmin/account/login HTTP/1.1 Host: localhost Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: rurl=/XWAdmin/; __RequestVerificationToken_L1hXQWRtaW41=wElsOf5d9ti5DtEOmBmEuD9WqhyFAIeVxbIGEFJ9axRvlBQkl2szOHZF5K8wnLG6o8djmjOoI1lk4FavA8X2mHzg3L7xJ05FGx88wvIirsQ1; .AspNet.Cookies=urAb_USLLWmxzlB4lshB6K8-iKdwdzoGlDbverK0SmKKQjBHrBEwTYyP-8pkTvZeuAKqvw8bOInLGpm_1fhfcHjwTps8fXk4ej-xIhQcOpQhux0NqSqE7MUPPDnDwLUDlZVCTiQ5ORm0IhL3hR4Noil0j3pAlUkRAQhZAOMVLATevufvDvxc3ZdzYtQr9jVf-UzGTW1zUClOlmb1YOPEnPoSL3RXTJzjpGayWPDd6EG0FIzd7gYMy9NMrsguN8I3T2SrmU6sJFPI5fpsgvuJJEbLvVmoR57p-wCbYFBzPr-Pvtl5U6X2Xfsj7EaH0GvDgfFUEhx7eB81AZyYm8bO_9ReVm8iPPS9YaDERCSPy4ZW5ECMOmOJHYNLsV_91adYUKRn33A8Mhi6ubkXVof4G6n0xs-NBYVeeEx2OickwN156vcdjyDU31taHWXrnF56snV1Yyl4IWWCjCXHGpcBYe4Ca12XlmFP8ISOSStSlUwp07YitFnX9MxKdsYOsx31pnMgK8jTIIlnMxXX6FuiiVnh2n45CVsQ7GmHQ7RHSH-lr7TEYZOktR_FQceZDYzwrBey5kWalMRi5O4aXyymtEF9tXM9iub0Q_xHq3EfbP_qIbLzmEPHF5lt1uR0A3gASfSJd4Hg1y16eku90ZVqIJcpnvbK7tMmqJuhB8REbvZPwe1EYAW9GbnAMbTTjZmt_sktOSCkwphokJggj2JE87CO5fTKSEOsrPzuB9sg3aRZdpKXMrtHcm0Xh9ybi3L6XTSZzggQLFtc4eo-P16SbHN4vHr2vREFU51uvcXowJr6b9iVTtRoeNF-slMGAtaHf6u5gx-ByyZzmBHYwwzhGM9b5xliuA7-_y7Sd_o8qW2QRhVpyEZo6xMzsGzaHRrJ8E1jFbLd2irtd8LDpOejdlaEjNgeFPwmyd0OHV27iqXLuetyZf6J4OEKXxWo9GgUvRzjc-RbAmT9ITWiKt76q9xgevQydnkCO7fjpP8xw97YxvyYOjaiYMmwa4NcyTidv1kRHBhb8m1hkHR5botVvkNWeg6dolKtHgHD2ufdg-LfXqsAwDdja4Q68ewxsIL0MzKGoqvl7ObqtAyj6pkcfWKFmDpA1QC_iQOuS0XRTJ5dLv3au0TaxnQg9iIX-dJLcXwj0zMSCuVmiTTZVuDEKlzf-AeiJyO3CEdcMY_BEBPlb4lKuBH6qks4wtRwlI2-KLYXAKT5de95SP-NXwk4rKF4yY64feR9RU9UB8iGGOE3JflwzZKng1KGabHbjKHIm6cCTPCRDYsFKN6FuCmOiLiQE1kIhWRTu_L585gIBXyZBR_AEQeqRTObWPVsEn5tdcg3-U2SAcmv3AJ9jPt4s2G19D4H9aKX83T07vQILw-UzVqL8hDYjV-7cGzXYpqNIsuzVyiGz2xU6vT7F6OuGbQjkuFKcKb2rd88CJNsNv8X19XwBghKcbBwIPxX9fkAeASApv1mqdIN873CAEbJpai2HrzMOILwSD6xleXTxobo64cS3ix4qhRgeCE4JfTzgIl8NiQ83S46JKkKTm2RrtZygc4T4kuN6cUI6gikwhcKos2mk9IKf52skT_6LJ-J9HvYXN2k7s8sCdgEbyNIrZMSfm2y7HjytPWguMQjcLYoxMZzYgwOTWbh7qK2uA87RP8w70ClSP56_bAWg_0MYlLx0JQp6bdaWuADwMTzhuH6SiVgiob6tKq09CtobrleLwjcWs97kSw0chDZhWoc8DBrE61NiUfiGrFJTl3GsZoWLEGQkeNxKwG-fmB4Z6zdjiu_lgtMIrLGnzemSBh92P7nnd7BCuA1axU-6_eg85Z7DH7Ek0ZGqCgG99z-4WVO; .ASPXAUTH=1F501DAE995CDF04BEEF4B1C207DEDA77BD115F54948F6A749E69F2AAD45C0AC786761D82AA541B55233EFE708B626D2D3B90DE2AFD7606B20FD3E323FD3FA263E8414DB71F6B6CD58A06498E9AFD0D4F1841022964B71DFCDEFD8564B401649F2A798931A2AFCD3C4721AA7E45D9E87155DA6D8B3956C2975896663DD193B7CB004E11FE2739A71966E9B3E674DCD9BC54225F0A80765FC51D214CE3DD59816F7B1423A3992BA01339C9994A2B20A674F195FA14B77E52810EA513C26564F85F5880C8BFD1C6D5D6CE9316B5096B3E1F3FDE1D233A899F6D13A1F4D7D36CBEEEED3425672FCEDA3D44097A738638969B70954B5B6FDB7B690E6A08845C31BBF587D6F15BEAFFC70293B7FCA4DD5926FACA3409A7542B0117770D014A1267E0424C220F1708B71EB5B5C232855A74BF7B16D82C0F780BE8BE780C68D04A98A043012990F929F74417DE955853FE3258C35262FEDC1B37B247BC80A145C20B1F9FC697028B22F379B233254332D2585BE0C3486053495527E86279E0719CADEED6769FA81F4012BB56E4FD62E4918FAE0A1AA87C8C025DC4F215CB9ABAFE6F16FCF0EC3BAFF0168089BD82A0A39407159114B1A115F59723478DEB74EE78A84B28E67AE9E2D5D72836B46CE63F7E0D4CD1155D52A56616E7BB833F3309F9339734A5777C7013A48DF9B9EA962DBC70645B247A59231345EA1B159B7093A315693C4468F4F25C2A69BD3871D17762FD9EEEEE0BFD2B8C0F425A2F07FB0CCB1845EA1C92273A1537CEB784009BA2793EE92

This is what I did to get it to work combining multiple suggestions:

            string[] ss = Request.GetOwinContext().Authentication.GetAuthenticationTypes().Select(o => o.AuthenticationType).ToArray();
            Request.GetOwinContext().Authentication.SignOut(
                    new AuthenticationProperties
                    {
                        RedirectUri = Online.Server.Busi.Auth.Authentication.GetSingleSignOnRedirectUrl()
                    },
                ss);

            try
            {
                Session.Clear();
                Session.Abandon();
            }
            catch
            { }

            // clear authentication cookie
            HttpCookie cookie1 = new HttpCookie(FormsAuthentication.FormsCookieName, "");
            cookie1.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(cookie1);

I expect you call the SignOut method from your context/ service but do you also clear the session? (In the case you use cookies for storing authorization data) `Session.Clear()` removes all values from the session. `Session.Abandon()` destroys the session. — Saltz, Sep 17 '18 at 20:04
Request.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType);Session.Clear(); Session.Abandon(); — Jim Olson, Sep 17 '18 at 20:10
What do the response headers look like for the sign out request? — mackie, Sep 17 '18 at 20:30
And what do the request headers look like for the subsequent request that reports `IsAuthenticated == true`? — mackie, Sep 18 '18 at 08:39
Make sure you are not storing too many claims in the token. This can make token too large and cause issues. — aaronR, Sep 19 '18 at 17:44

Signing out of Identity Server

0 Answers0

Linked