0

We call Request.GetOwinContext().Authentication.SignOut(); to remove the cookie. There is reference to it on this thread: OWIN - Authentication.SignOut() doesn't seem to remove the cookie.

Post the above call I call Session.Abandon()as part of the user's logout process.

It seems to remove the browser cookie, however if I replay the previous request with the OWIN cookie I can still access the page/resource in my application.

I was expecting it to error out, given that Session.Abandon() would have removed the session and hence even if the OWIN cookie was sent across it would not be able to use that session.

Is there something else I am missing?

Rahul J
  • 93
  • 1
  • 2
  • 6
  • You might be confusing server side session (which is abandoned when you call `Session.Abandon`) and the client side session established with the auth cookie. The two are unrelated. The auth cookie is self-contained, it contains user name and other claims. Thus, if you replay the request with the cookie, although the server side session container can be empty, the cookie itself will establish a valid context so that the username (and other claims) will be accepted by the server. – Wiktor Zychla Apr 29 '19 at 05:42
  • Thanks Wiktor. Any recommendation on how do I prevent the replay request from establishing a valid context - specially after user has signed out but the replay request has captured the cookie details? – Rahul J Apr 29 '19 at 08:42
  • It's rarely done in practice. The common approach is, when your users use the secured channel (SSL) there's no chance to eavesdrop the cookie so that it would be the user themselves to replay the cookie, but they are allowed to. If you really want to prevent that, [check this old question](https://stackoverflow.com/questions/16062808/form-authentication-cookie-replay-attack-protection) as a starting point. – Wiktor Zychla Apr 29 '19 at 09:52
  • Thanks Wiktor. Makes sense. We are exploring the http module check mentioned in the other thread. – Rahul J Apr 29 '19 at 13:34

0 Answers0