In the app itself, when logging in with one of the providers (I chose Google), I can see in the browser history (Chrome) the URL that contains the claims returned from ACS. It's the URL that starts with:
Going to this URL logs me in the app, even after clearing all browser cache and cookies.
So if I log in to the app from some public computer, and then log out, my account is exposed by going to this URL in the browser's history.
I know this is the standart way that ACS Identity handling works. What am I missing here ?
I made some test app to reproduce the issue.
1)This is the code that runs when the user logsout :
If you copy the Claim Tokem url in the address bar of browser, the website think you had logged in and redirect to the personal page and personal information page, right? Even though you close the browser and open a new instance or new a seesion.
The token is available if you have not log out by correct way, so you can use this url to login automatically, and after the token is expired (the default is 28800 seconds (8 hours).), the url will be unavailable. So if you think it's unsafe for customers,
try to modify your policies of ACS (time out property) or add a logout button in your application.
I have just create a example for testing this situation.
First, when you login the Goole login page, please do not select "Stay signed in" checkbox below the Email and Password, if you select it, Google will help you to login with ACS.
Second, From the Request.Form property when you log in (Please set a break point for view it), you will find some Token and ACS information with it (you need decode it for several time), at last, you can get the Token life time, just like below:
If you open the same page or new a tab of this Window, you will find the application is still available because of SessionAuthenticationModule (web.config) moduler, the application will create a cookie for manage sessions. So you must open a new
window or new a session to open a windows or use another Browser (such as Chrome). It works fine, the application will redirect to Google login page.
About the Request.Form property that contains the interval, I will check it, but I have a
feeling it will be correct. Other than that, what you said dosen't happen for me. The Claims URL in history will log me in even if : 1) When I logged in I didn't checked remember me. 2) In the logout I put
3) After logging out, I clean browser cache and cookies and close the browser.