All geek questions in one place

Cookie is not deleted after logging out with Asp.Net 5 Identity 3.0

I have an ASP.NET MVC application (version 6.0.0-rc1-final) with user roles and user stores. After some struggles, I was finally able to create a working input mechanism. However, I now have problems creating a clean logout. What is my exit code for the controller now looks like this:

public async Task<ActionResult> Logout() { if (User.Identity.IsAuthenticated) { await SignInManager.SignOutAsync(); } return RedirectToAction("Index", "App"); }

The problem with this code is that one cookie is not deleted: .AspNet.Microsoft.AspNet.Identity.Application

Until I delete the cookie manually, the application is in a dirty state and throws exceptions with a null pointer, because User.Identity is NULL.

I found an https://stackoverflow.com/a/3129648/212828/2000/2000/subscribe/questions/219828/... describing a similar scenario. But the solution is not suitable for me, because I am using MVC 6, which no longer has System.Web.

I also have a sample solution that just works great. In this solution, the mentioned cookie is never created. Perhaps the right solution is not to delete the cookie after logging out, but rather to prevent the creation of a cookie.

+5
source share
3 answers

The problem is that your RedirectToAction rewrites the redirect to the identity destination URL of the identity server that SignOutAsync issues.

(The same explanation for the same problem is given here from Microsoft HaoK.)

Edit: The solution is to send the redirect URL to the AuthenticationProperties object with the final SignOutAsync :

 // in some controller/handler, notice the "bare" Task return value public async Task LogoutAction() { // SomeOtherPage is where we redirect to after signout await MyCustomSignOut("/SomeOtherPage"); } // probably in some utility service public async Task MyCustomSignOut(string redirectUri) { // inject IHttpContextAccessor to get "context" await context.SignOutAsync("Cookies"); var prop = new AuthenticationProperties() { RedirectUri = redirectUri }); // after signout this will redirect to your provided target await context.SignOutAsync("oidc", prop); }
+1
source

I can fix the dirty state of my application after logging out by manually deleting the cookie after the logout action:

 public async Task<ActionResult> Logout() { if (User.Identity.IsAuthenticated) { await SignInManager.SignOutAsync(); } foreach (var key in HttpContext.Request.Cookies.Keys) { HttpContext.Response.Cookies.Append(key, "", new CookieOptions() { Expires = DateTime.Now.AddDays(-1) }); } return RedirectToAction("Index", "App"); }

Since cookies cannot be deleted directly from the server, I simply overwrite existing cookies with an expired date already.

+1
source

In addition to everything that has already been mentioned, also make sure that you do not omit the scheme argument in the SignInAsync and SignOutAsync , and that you are passing the same value. For instance:

 HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);

and

 HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

So in this example, the CookieAuthenticationDefaults.AuthenticationScheme scheme. In my case, I forgot to transfer this to SignOutAsync , and obviously after that it took more time than I would like to admit that I have to keep track.

0
source

Source: https://habr.com/ru/post/1241114/

More articles:


All Articles