I am working on ASP.Net MVC application and using the Azure AD for authentication. I have a problem that when I sign out and sign back in I find that previous session is still alive and it was not killed when user signed out.
Earlier, I was getting another issue that whenever user sign out and sign back in, user were always going back to sign in page, unless close the browser and sign back in. That issue was fixed by commenting out the
app.UseCookieAuthentication(new CookieAuthenticationOptions());
and adding the below code:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager()
});
That resolved the infinite going back to sign in page, but then I noticed the session is not been destroyed up sign-off.
Any thoughts?
Code:
startup:
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
//app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager()
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
// PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
PostLogoutRedirectUri = redirectUri,
Scope = OpenIdConnectScope.OpenIdProfile,
// ResponseType is set to request the code id_token - which contains basic information about the signed-in user
ResponseType = OpenIdConnectResponseType.CodeIdToken,
//ResponseType = OpenIdConnectResponseType.IdToken,
// OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
//AuthorizationCodeReceived = OnAuthorizationCodeReceivedAsync,
//SecurityTokenValidated = OnSecurityTokenValidatedAsync
}
}
);
}
home page with sig-in and signout logic.
public async Task<ActionResult> Index()
{
if (Request.IsAuthenticated)
{
var userName =
System.Security.Claims.ClaimsPrincipal.Current.FindFirst("name").Value;
return RedirectToAction("Summary", "DashBoard");
}
return View();
}
/// <summary>
/// Send an OpenID Connect sign-in request.
/// Alternatively, you can just decorate the SignIn method with the [Authorize] attribute
/// </summary>
public void SignIn()
{
try
{
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
catch(Exception ex)
{
Log.Error(ex.Message);
throw;
}
}
/// <summary>
/// Send an OpenID Connect sign-out request.
/// </summary>
public void SignOut()
{
HttpContext.GetOwinContext().Authentication.SignOut(
OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);
}
}
