My site uses ASP.Net MVC 5.2.2 and ASP.Net Identity 2.1.0. In CookieAuthenticationOptions, I set ExpireTimeSpan to 30 minutes, and the print security check interval is set to 2 minutes (so that users will be loaded within two minutes after calling UserManager.UpdateSecurityStampAsync.
The problem is that if users remain inactive for more than 2 minutes, and then click the "Logout" button, the site will not be able to disable them. After a short shutdown, I found that in these cases the server returns a new application cookie (the cookie sent to the server is different from the one returned from it). The owin code seems to skip the AuthenticationManager.SignOut call and continue to generate a new application cookie, as is usually the case when the old one is more than two minutes.
Has anyone else encountered this problem? Any suggestions for diagnosis and correction?
I am using VS 2013 Update 3, but this problem existed with previous versions of Identity.
UPDATE:
As an experiment, I created a completely new ASP.NET web application project with templates on September 3, 2013 and noticed the same problem: I logged in and then waited a period of time equal to the validateInterval security mark (default, 30 minutes). After that, I clicked on the "Logout" link and noticed that, as in my own project, a) I did not log out, and b) a new cookie with a security seal was issued to me. I had to click the link a second time to log out. In fact, I didnβt even have to sit idle for 30 minutes: I could continue to make requests during this period, and pressing the logout button would still fail if this was the first request after the 30-minute interval had expired.
This seems to be an error in the OWIN identification code. Basically, if the first request after the verification interval is a request signal, it fails because the code that checks and issues a new security stamp does not check if the user has logged out as part of the same request. Failure requests will fail if they are part of the request, which will lead to the re-issuance of a security stamp, that is, the first request, which after verification will be read out within the first minutes from the date of issue of the previous security mark.
I would be grateful if anyone could confirm this behavior. You do not need to wait 30 minutes and do not need to create a new project. Just take an existing project that uses Identity, temporarily set the verification interval for something really short (30 seconds or a minute), log in and make sure that the first request after the interval expires is a click on the Logout button. If this is a mistake, you should notice that you are still logged in.